Using Data Security Platforms in a Modern, Hybrid World

Wow. Hello and welcome to another KU Core webinar. Our topic for today is using data security platforms in a modern hybrid world. My name is Alexei Balaganski, I'm a lead Analyst here at Kku Core Analysts. And my guest for today is Terry Ray, who is a senior vice president and fellow at Imperva. But before we begin, a few housekeeping notes. First of all, you are all muted centrally so you don't have to worry about your audio settings or you can just listen, take notes and feel free to do it at your own phase.

We will be doing a couple of polls during the webinar, but we'll only discuss the results during the q and a part in the end. And yeah, so there will be a q and a, a question and answer session after our respective presentations. And you can submit your questions using the the, the browser tool which you are using to watch this presentation. We'll be recording the entire thing and the video along along with the slides will be made available to all registered participants of this webinar@copyacode.com. Probably tomorrow. And without further ado, let's just jump into our topic.

So the agenda for today is split into three parts. As usual, I will start giving some kind of our high level neutral perspective on the entire state of the data protection market, the its strengths and challenges. And I will dive a little bit deeper into the concept of a data security platform, what they do or what they should be doing and how they have evolved recently. And then I will allow Terry Ray to provide you with much more technical and expertise and industry experience on data protection.

So since he'll be talking about practical solutions, how they are implemented, deployed, and so on. And as I mentioned in the end we'll be answering your questions. So let's start our first short poll. The question is really simple. How familiar are you with data security platforms as a concept or as a specific product? Please are great your knowledge from never heard of them before to be real, being a real expert and knowing everything. Okay. And while we are at it, I can already see that some people already actually have a a working implementation.

So I'm wondering why are you even taking part in today's webinar? So maybe you are not happy with your current chosen solution. So if you stay longer you will learn about some interesting alternatives. So I guess we had enough time for the first poll. Let's close it and move on to the rest of my presentation.

Okay, so I guess we have to start by reminding again what we've done multiple times already, that we are living in a profoundly insecure world because we face a lot of challenges, technical or non-technical daily starting from the political turmoil, elections and sanctions, wars and recessions we have to face with, we have to face industry espionage daily because of course everybody out there is after our quote unquote crown jewels, the most sensitive and precious bits of data like intellectual property.

We have a deluge of malware and ransomware because again, everybody out there is trying to basically make our lives miserable by breaking our things, locking our files, and just holding our daily business activities to ransom. And of course we have to deal with the modern tech technical challenges, multi-cloud as a new normal, increasingly mobile workforce, especially when they're working from home cloud-based business and collaboration platforms and of course lots of new emerging privacy and compliance regulations.

It's up to you to decide which risk to consider the biggest, but they are all here and we have to deal with them regardless where we are living or doing our business. But before going into details, I would like to address the elephant in the room. That whole story about protecting the crown jewels is essentially, in my opinion, a very wrong way of looking at data security. What you're often being told by vendors or marketing people that basically data is the new gold data is the new oil printer, ink, crown, jewels, you name it.

And I believe that while it of course partially is true because you do derive a lot of your tangible profit from that data hopefully, or at least you are planning to, but you also have to consider the drawbacks. Most of data businesses are collecting or sitting on basically it just has no intrinsic value. You have to do something, you have to transform the data, you have to dig into it to find something useful or valuable. Some of the data you own or you have to store is just plain toxic and it can cause you a lot of potential problems if not handled properly.

Of course, everyone is talking about sensitive data like P I I P H I and other types of legally protected information. But it's not just those types of data which can be dangerous. So are you actually, should you be more interested in securing your data or securing yourself from your data? I would argue that you have to consider both. And this is exactly what we are discussing in today's webinar. So what does the real business challenges companies are facing when dealing with digital data?

Again, the most obvious one in that data to value gap, you have lots of data perhaps, but for whatever reasons, technological, legal, compliance, whatever, you cannot derive enough value from the data. So obviously you are looking to force solutions which can ease the transition, which could help you to find more value in your data. And of course one of the promises nowadays is to move your data to the cloud or in fact into a multi-cloud environment. Another problem is data scroll.

You have lots of small data silos from legacy or even modern applications, data sources, third party data and so on. And they are all stored in different formats in different technological stacks under, behind different security controls. And somehow you have to deal with all of those types of data sources, hopefully in a consistent way, otherwise they'll just be overwhelmed. And finally, data friction. How to make this data available to all the interested stakeholders, developers, data scientists, business people, marketing teams, contractors and so on.

But again, not just quickly and easily, but also securely and in a compliant manner. And of course you have to consider all those usual things you are thinking about when thinking about data security, confidentiality, availability, consistency, compliance.

But again, you should al also think about the left part of this slide as well. So can you actually solve all those challenges with a a single quote unquote data protection tool? Does such a tool even exists or can it be built even if you find such a tool, who within your organization is supposed to purchase and set it up and monitor and operate this tool?

Should it be your security team, your data team, your developers who will be paying for that and who will be responsible for all the, those challenges that many businesses still considerable, just kind of hindrances that drags your, prevent you from going to your shiny digital future as quickly as possible? Well, one thing to consider is that traditionally security in the IT world has always been infrastructure centric. So you would have to protect your network separately, your endpoints, your databases, your services, sorry, your servers and stuff.

And an alternative that has emerged a few years ago was data centric security. So instead of focusing on our infrastructure, why not protect the quote unquote data itself on, on paper it sounds a lot easier and really, really interesting. Data should somehow be self-describing and self defending. You should be able to create a single policy for protecting that data and it would somehow apply consistently across all our environments, systems and technology stacks.

And of course that those policies should apply at all times when the data is not just being stored, but it also when it moves or being transformed, sounds good. But how to build it. Obviously until we all our data somehow gains conscience and becomes really self defending, it would never happen.

So we have to find some compromise solutions and obviously those boil down to if you must have capabilities, which every so-called data protection platform has to implement, such as data discovery, classification, monitoring, you have to know where your data is and what kinds of data you have in different places. You have to understand which data is more important than the rest because you would have to apply different policies to it at the very least. And of course you have to know what's happening with the data at any time.

And finally you have to somehow protect it from tempering, from stealing, from leaking to third parties. Otherwise you will have massive security and compliance problems. When thinking about data, a lot of of, well a lot of people think about protecting data like they think about protecting well gold, just put it into a safe that is encrypt your data and it's, and it's done. You are safe now your data is secure. As I mentioned earlier, data does not exist in vacuum.

It has no intrinsic value unless you transform it, unless you process it, unless you move it between various systems which are, which can be located on-prem of course, but also in the cloud or even across multiple clouds. On this slide I just thrown together a quick example of how you would typically move your quote unquote normal business data across different systems. And you have to understand that all those systems can be located on-prem or in different clouds and sooner or later you will start facing the additional challenge.

How do you manage all those multiple clouds in a consistent manner? Because all those public clouds and private clouds and Kubernetes environments, whatever, they have different APIs that have different identity and security controls and so on. And somehow you have to deal with it because if you're not protecting all pathways to your data across all your IT environments or a hacker only needs one unprotected hole to completely negate all your data protection efforts, another thing to consider is that well data is a lineage.

Data doesn't appear from nowhere and it doesn't disappear just like matter or energy in the universe. Data is created, processed, moved around, transformed, and somehow disposed of in the end. Now we're talking about information protection lifecycle. We have to understand that the data has to be protected at every step of the cycle from the acquisition to controlling access to IT and monitoring and containing and recovering from our data breaches. And finally to secure disposal. It all belongs to the core capabilities of every data security platform as well.

And of course, again, it has to work across multiple IT environments, multiple clouds. One way to actually turn data centric security into a a tangible set of existing technologies and capabilities is to implement the old and proven defense in depth approach. The layered approach to data protection where you build a set of capabilities around your data sources and you make sure that those capabilities are operate in the court, that they actually know about each other's existence, that they at the very least produce a common set of telemetry events.

But ideally, of course they have to basically support each other in a, for lack of better word, holistic manner. So you not just have a set of individual tools who, which you would have to operate well with different teams, different skill sets. Those tools have to work together as a mesh or as a fabric if you will. And only when they do operate together in that MA in that manner, we actually have the moral right if you will, to call such a solution, a data security platform.

And one thing we did earlier this year precisely in April, we have released a leadership compass of what we call our company calls multi-vendor analytics report, where we have looked at the major players in this data security platform market and we try to compare their approaches towards combining these capabilities together and rank their capabilities. And on this slide you can just say a list of the leaders, the overall leaders, basically the vendors which do at least at core beliefs. We do this the best. And you might be noticing IMP Empower as one of the leaders as well.

And if you're interested in knowing their capabilities, you know more detail, I would recommend reading this leadership compass after the webinar of course. But right now we'll give you a really quick overview of what we have analyzed. We have identified a few of core broad categories of capabilities, which we believe every data security platform has to implement. It has to be able to, it still has to be able to find vulnerabilities in database infrastructures because they still exist and they still can be misconfigured or broken or just outdated.

But of course it has to also be able to discover and identify and classify your existing data across all environments to then provide this data for proper policy-based security controls. It has to actually be able to deploy and enforce those security controls. So it has to support a lot of capabilities like encryption, masking, tokenization, addressed, intrinsic and ideally also in use. It has to monitor and analyze all the security events consistently. It has to know what's going on around your data and it has to able to make some smart decisions about it.

It not just give you a list of millions of security events but actually identify specific suspicious or malicious activities, align them with known techniques of hackers and basically guide your remediation. And of course it has to implement access management, it has to provide reach, audit and compliance support capabilities. And last but not least, it has to somehow not be in the in your way because the last thing anybody wants from a security tool is to somehow inhibit your business processes. So an ideal secu security platform is one that just is there.

Transparent, invisible does not prevent you from doing your daily work. And as I mentioned, we have covered around 30 vendors in total and IMP Empower is one of those. And as an example, I'm showing here what our strengths and challenges we have identified for this particular vendor. And of course you'll find the same kinds of coverage for all other vendors as well. So on a spider chart for example, the closer this chart to circle a circle the better. So I think in PER has been doing pretty well in that regard.

So, and we will find out a little bit more about that later. And finally, I would like to summarize the takeaways from my presentation.

Again, data security is much more than just protecting data secrecy. So yes, you have to keep your data safe, but you cannot put it in a safe because you have to let your data work for you. And this protection has to apply at any point in time, especially in use, again, data security on its own or is difficult to sell because first of all, nobody wants to pay for it because it does not supposedly generate any business value. And what we want to demonstrate in today's webinar is that no, it actually does. A modern data security solution does much more than just securing your data.

It can actually enable a lot of business processes or at least remove a lot of that friction for accessing your data whenever it's needed. Again, an ideal data security solution is the one that does not get in the way. And this is probably the biggest thing you should be looking for in a, in a great data security solution as opposed to an average one. And of course ideally it has to cover all the gaps.

We do know that we still face data in different format, structured unstructured SQL or no sql, an ideal data security platform has to deal with all that data because if you only have like one attack vector, one system, one data source, which is not covered by your data security, you have a lot of problem, a lot of problems. And that data protection has to be consistent at every stage of data lifecycle. We are not there yet. Obviously there is no one single solution which can do that. And the next biggest question everybody is asking themselves, so should we look for one turnkey solution?

Should we build it from the best of breed modules from different vendors? Is it really dichotomy? And what exactly is a data security fabric as opposed to data security platform? And I believe this is the right moment for me to give the stage to Terry Ray who will be explaining all these terms and will show all the capabilities of a real life data security platform.

So Terry, welcome, Thanks Alexei. O obviously as always, you know a a, a great introduction from Alexi around the world of data security, data compliance, data criticality, threat detection, really being able to define what a data security platform is all about in terms of a KuppingerCole. We're gonna talk a little bit about what Imperva's data security platform, what we call a data security fabric, is all about. I'm not gonna get super technical in this portion of the presentation, but I am gonna talk about how organizations do leverage this kind of technology.

So let's go ahead and jump right into it. If you don't know, I just like to begin with who Imperva really is. And and I I keep this slide really short and simple 'cause there's usually two batches of people, three batches of people out there. There's the person that has never heard of Imperva, that's fine. And then there's the person that says, well, I know of Imperva because maybe I use your web application firewall or I've looked at your application firewall before. That's part of our business. Protecting the front end access to all of your data, your web applications.

The other side of our business and frankly what we're going to talk to and talk about today is protecting that backend where all of your data lives resides and is shared, if you will, as as, as Alexi was talking about all of your data stores in the cloud, on-prem, whatever kind they happen to be and making certain that you understand where we work in that blue area. As you see over here, I won't be talking about the green and the purple, but if you have questions later on I can take them or at least direct you to the right people to get those.

The first thing I would say when it comes to data security is at the end of the day, data security means something a little bit different to each different role or each different person or function within an individual organization. You may have security, I hopefully you have security, you may have cloud architects who certainly have executives that possibly compliance falls under, whether it's risk or legal. And then maybe you have a technical end user, someone who, who is technical enough to understand the criticality of their data and the security controls that apply to it.

I realize that a lot of times you don't really have those technical users that understand the criticality of their data. They're just technical users that know they need data. At the end of the day, each one of these individual roles defines data security a little bit differently. Your IT security professionals may define data security as, please don't let me lose data or please don't let my phone ring saying that there's a bug bounty and someone says they've gained access or potential access to my data. How do I make sure that doesn't happen?

The cloud architect says, look, I need to enable moving more things to the cloud. I don't want a business unit saying I'm not going to the cloud because I don't trust the security or I'm not going to the cloud because I don't trust compliance. That cloud architect says, I want you to feel comfortable going to the cloud. You should be able to move your assets to the cloud as securely, if not more securely than what you already have where those assets already exist and do that, as I said, in a secure way. Your executives in compliance, they kind of want two different things, right?

The executives say, I just wanna make sure I'm not gonna get in the news. I wanna make sure I'm not gonna get in trouble. Give me maybe a risk score. Tell me how I'm doing, compare me to my peers. How am I gonna not be like company X, y, z down the street that just lost a lot of records or just filled a a, a regulatory compliance. And of course your, your compliance auditor is saying, I don't need to protect everything frankly, even protection, love protection, that's wonderful, but really here's the list of things you need to make sure I have a report on and I have a capability for.

I need to make sure I can do all these things. Please, please deliver me proof that we have met these requirements. Sometimes people call that checkbox, some people call that doing the right thing, doing best practice all depends on your organization and your compliance organization itself. How they define those things. Each one does it a little differently. And lastly, like I said, the technical user, they have their own requirements and their own understanding of their data.

The point here is this is that data security means something different to each individual function of an organization. But data security actually is important across the board, across the organization because it can impact every single facet of the organization. When we look at successful data security teams, successful programs, successful strategies, there are some very common things that that that bubble to the top. But I would call these six requirements. Number one, you can't be limited to having technology or processes that only support the cloud or only support on-prem.

You really have to have technology in today's world that is flexible enough to go wherever your business is today and where it's going to be tomorrow. Today you're on-prem or today you're in the cloud. Tomorrow you make an acquisition and all of a sudden you've got both. Does your technology expand to be able to cover everything in your environment? It needs to and it should reduce the need for specialized security skills. Cyber skills may not surprise you.

If you go to LinkedIn and you type in network security in quotes, you're gonna get a million and a half people that are network security professionals or claim to be. If you type in database security in quotes, you're gonna get about 36,000 people that say they're specialized in database security. So you're looking for technology that doesn't really require a lot of specialized cybersecurity skills specific to data. You need automation. At the end of the day, data security is, is perceived as complex. It doesn't have to be complex.

And so a lot of these technologies, ours included, bring automation to play to say let us do all of this work for you. We've been doing it for 20 years. Let us help you do this. Not from a people perspective but from an automation, from an ai, from a machine learning perspective, let the technology work for you. It has to be high performance. It can't slow down your business and the technology that you bring to bear can't say that I can only support a little bit of your traffic because that's just too much.

The technology has to say, it doesn't matter what you have flowing through your environment. I can support and monitor as much as all of your traffic all the way down to a little bit depending on what you need. It has to have that scale and capability when it comes to compliance. Compliance should be easy. Whether you're in Europe with G D P R and you've got 72 hours to respond to a breach notification, you need to be able to generate a report rapidly and say, I know exactly every single user over the last 2, 3, 4, 7 years who has accessed this kind of data.

Now I maybe I don't need it for need it for seven years, that's perfectly fine, but I need to be able to generate that report rapidly. I need to be able to get answers rapidly. What did Chuck do? Chuck being just a person, but what did Chuck do three weeks ago? I need to know everything he did, everything he touched and I hope I was looking at it, if I have a solid data security program, I can tell you everything that TR Chuck did because that's what you need for incident response. I need that map. And lastly, knowing what somebody did is certainly valuable.

Being able to say, not only do I know what Chuck did, I know that Chuck tried to access a million records but I stopped and we blocked it and we already know about it. So we're all good. I have the incident response and I've got that protection and being able to protect all paths to what I deem is sensitive data, what compliance deems as sensitive data from that perspective. This is not a slide I'm going to read here, but this is really a bit of a story and the story is this, it's good data protection really should be made as simple as possible. So there's a lot of things.

You saw Alexi's slides talking about the elements and I wrote it down here, right? The layered approach to data protection. When we think about that layered approach, there's a lot of stuff if you really break down each one of those. But if you sum up all of those items, they're right there in Alexi's layered approach to data security. And if I simplify it even further and just put it really in three buckets, it comes down to the three primary drivers that organizations come to Imperva for.

They say, Imperva, somebody else told me I need to do data security now. I don't like it when people then when that's people's reason because I think that best data security should be just best practice. But a lot of organizations do come to us and say, someone else told me I need this. That's what I call compliance. G D P R said, I need to protect my data. I need to classify my data, I need to monitor my data, I need to do all these things so therefore I'm gonna go do it fine. That's on the compliance side with a little bit of crossover to the blue and the red.

I have other customers that say, maybe I didn't lose data but my competitor down the street did and now they're in the news and my executives are asking me, are we gonna be like them? Are we gonna have those same problems? I need to be able to dis demonstrate to my executives that I've done the right things, I've got security, I've got the tools and the technology in place to be able to prevent things happening from us that happen to other people.

And as a big part of that, step one for a lot of people, even though in my opinion it shouldn't be step one and doesn't have to be, is classification discovery of assets. Yes, it's true. You need to know where your assets are before you can secure them. It's kind of true that you need to know what kind of data that you have before you can secure it. Not really. If you have something that's fully scalable, you can monitor everything, you can secure everything. You might want to tighten those controls down a little bit more.

When it comes to your sensitive data, and I totally get that, but like network security, like endpoint security, why would we have data security and only five or 10% of my environment? Why don't I cover everything like I do with network security and endpoint security? If you have a scalable product and a product capable of doing it, why wouldn't you just cover everything? That's a common question I hear from a lot of customers and the answer is, if you have a data security platform, what we call a data security fabric, then you absolutely can.

You can have this layered approach as Alexi talks about as as the definition of data security platforms is having, and I'm going down the middle of the list. Data activity monitoring, monitoring data. In my opinion, 20 years of doing this, you need to monitor everything. You cannot predict where people are going to begin their journey modifying, stealing, exposing, or just, you know, negligently sharing your data with other people, monitor it all. Have you ever been to a museum? We talked about the sharing of data and the fact that data as, as Alexis said, data is not the new oil, right?

It's, it's kinda like gold that you maybe you, you normally just stick in a safe but you can't. It's also like a museum. It's all this valuable stuff, but the whole purpose of this valuable stuff is sharing it with other people. But you have to do it in a secure way. Have you ever been to a museum that didn't have a camera in the corner of every single room, didn't have a security guard between the rooms watching you.

They re, they got it. Everything's important. It's not just the Mona Lisa and the and the girl with the Pearl Pearl earring in the Vermeer. It's all of the other paintings as well. They're all important so they look at them all 'cause they don't know which one you're going to take. The same thing exists here. You have to have this ecosystem of technology monitoring data, controlling data, having analytics to look at for threats within that data discovering classification. You get the list here. The important thing when it comes to having a successful platform isn't just having this stuff.

That's an important piece, but you, what do you do with that stuff and what coverage do you get? You have to be able to bring all of that technology together on-prem and in every modern database in the world. All of those clouds that are out there, AliCloud, I B M, Oracle, A w, ss, Azure, Google, you've gotta support 'em all. 'cause I don't know which one you're gonna be in tomorrow. I've gotta support structured, semi-structured and even files, unstructured data. You've gotta support all of that as well and do it well.

You have to be able to support more than just your own company's technologies. You have to have an ecosystem of technologies that you're going to work with. Things like encryption vendors, masking vendors, content resource management vendors as C D M C C D M A vendors and other type of vendors, your ServiceNow's and others. Those all have to be done. The big piece is you have to bring it all together into one really simple story, which is to be able to answer simple questions in one place and say, what did Chuck do? What did Terry do? Who accessed this data?

I don't wanna have to go to six, 10, a hundred different places to figure out who access data. I wanna ask one thing about data. Who accessed my credit cards over the last month? It'll be a long list and I'm gonna drill down to that list to exactly what I'm looking for. It's the worst day for a security department when someone says, who accessed your private data? And your answer is, I have no idea. I don't know. That data wasn't really considered important to me, but it's important to somebody else and now you're in trouble and you don't have an answer for it.

This happens more frequently than you think. Where organizations thought they were protecting their sensitive data, they lose data that was sensitive to somebody else just not on their list. This goes back to why don't we just protect everything in data security like we do network security, like we do endpoint security. Are there some networks that aren't important as others? Of course there are. Do they have security on them? Of course they do. Are there some laptops that are less important than others? Yes.

You get the story point is, is why do we do something different when it comes to data security? I don't necessarily have the answer for you except for maybe it's perceived as complex and really it shouldn't be. From a high level perspective, when we think about a unified platform, as I said, it's about being able to do everything that you see over on the right on-prem in the cloud doesn't make a difference.

Taking it down to the bottom, doesn't matter what cloud it it is or modern data store, it happens to be all the way to even healthcare and unified and proprietary data stores like some of the electronic medical record systems that are out there. Being able to support the technology that your business needs to be supported is what you're looking for in a data security platform. And of course that ecosystem that we see over on the left in a very simple way, this is of course not an exhaustive list. There are over 2000 integrations that exist with a, within the Imperva framework.

These are just the highlights of a few that that pop up more frequently than others. Again, not, not another exhaustive list necessarily, but I do find a lot of customers say, well, I wonder if if, if they support my data store, I wonder if they support my environment. So we put yet again some of the more common ones on here, but I just want to double down because it is this important. If your technology that you have today only supports one environment, you have to ask, ask yourself what happens when you move to another environment?

Almost every U user I have today is, or is moving not just to the cloud, but they're moving to multi-cloud and they still have many of them, especially established businesses like financial services, insurance and healthcare, still have a, have a lot of stuff on-prem and they need all of those things that you see on the left database as a service. Certainly there's a lot of things spinning up there.

Big data, no question. Everybody's got some element of it, but certainly the, I'm gonna call 'em legacy, but the long tail of everything you've been doing for years and years, all of that on-premise work that you have, not, not, not because you don't trust the cloud, just because oftentimes it's not possible or feasible to, to lift and shift or modernize an application that has an on-prem database, mainframe ass 400 z o s. These are still things and and there are businesses still making money from them, but they still need the security like everything else.

And lastly, unstructured, it's not lastly because it's less important, it's, it's lastly just 'cause frankly it's just at the bottom of the list, but unstructured is critical to being able to recognize where your data is and where your data lives and making certain that you have a technology that can support all of that. Now, I've talked about ecosystems, but your ecosystem isn't just about having a technology, like a data security platform like Imperva sending data to a sim.

Yes, that's something that we do, but it's about bringing data into an environment. It's about being able to say, what do I know about a user? I see a database user logging in. Can I pull information from active directory and learn more about that user? Maybe I can learn that.

Who their, who their manager is, who their manager's manager, what department they're in, what they do for a job. Because all of that lends context. When I send an alert over to your SOC and that SOC engineer says, okay, I see a user doing something maybe they shouldn't be doing. What do I know about this user? Here's a lot of information about him. He's in technical support, his manager's here.

He did not have a pre-approval from the from ServiceNow to go do what he just now, now did all of these things make it so easy to do incident response and to triage an incident, bringing this ecosystem context in and being able to support whatever technology you have. One big piece of that simplicity is about translating structured query language into plain English.

Now, yes, I can translate to Chinese and a lot of other things. We support a lot of languages, but in simple terms, being able to translate this into a language a SOC engineer can understand, the reality is is as I said earlier, there are only 36,000 experts or claimed experts in the world on database security. So why would I expect my SOC engineer to understand just the information in the, in the, in the first box, select star from accounts where account number is like 1, 2, 3, 4. Now some of us may know what that means. Some of us may not.

A lot of SOC engineers may not, but there's no context with that. If I can bring that context into this and say, okay, well I see the query, but I can tell you that his Joe, he's a human. I can give you his ip, I can tell you where he works. I can tell you that the data that he touched is sensitive data to your organization. And I can tell you that that select means that he looked at data or pooled data and I can tell you he did it 50 times and the result was 1.5 million records. And using analytics, I can tell you he doesn't normally do that. I can tell you his peers don't normally do that.

And I can tell you, in fact, the only person that ever does that is actually an A P I that should be doing that. And they don't pull a million records. They pull one record at a time. All of that means your SOC engineer now does not need to be a cybersecurity expert in data security. They just need to be able to recognize that doesn't sound right. This is something I do need to investigate. It takes you away from that world of just general alerts and, and things we ignore to something that is highly actionable into an organization.

And all of this comes together in certainly our unified interface, but can be fully externalized to, I've mentioned ServiceNow a thousand times, but B M C or or, or a sim of your flavor or choice, wherever you want this information to go, because that's what your teams are familiar with, send the information over there. They can come back to our system if they need to at some point. But having that unified visibility means you have one place to go. Now there are some examples here that we have.

I'm not gonna spend a lot of time on these except to say, when we look at the industries that we see here, global financial services, healthcare providers, retail online businesses, certainly different capacities and different needs in each one of these.

From an Imperva perspective, the industry just flat does not matter because we do support on-prem cloud, multi-cloud, we have the scale to monitor everything from the largest banks in the world to the smallest mom and pop organizations with simple technology that just needs to cover one or two data stores doesn't make a difference to us or our users as long as it's something that does not require them, require them to have significant data security skills. Does that mean none of our customers have data security, security skills? Absolutely not.

Lots of our customers have significant data security skills and they do a lot of really interesting things with our technology, but they don't have to. It's built out of the box to be able to solve for any industry that happens to be out there. Now this is my last slide and I'd love to open it up for questions. So I'm gonna preemptively say if you have questions, you can certainly start putting them in there while I finish up this last thought. So there are some questions that I think you should ask yourself, a lot of users say to themselves.

I, I I'm good, I'm, I've already got a solid data security program. I think I'm doing a pretty good job.

Well, Imperva has technology coming out later on this year that's going to actually help, help you answer that for, for, for for a quantitative perspective. But for now, I'm gonna ask you to ask yourself these questions and, and I wanna show you how you ask yourself these questions. I'm gonna just, I'm not gonna read all of these, but the first one here is where specifically is your private data located? There's a lot of things to unpack in just that one sentence. Number one, what do you think is your private data? What does your organization think?

Is your private data, is it just intellectual property and credit cards, but names, addresses and phone numbers because maybe you live in the US don't matter. That's not really private data because it's not regulated. You live in the, in, in the EU and certainly names, addresses and phone numbers are private data. All of this matters to each individual organization. How do you define your private data?

Is it, is it just important to the organization or is it important to your users and how people would manipulate that data? The other thing to unpack here is where specifically is it? It's not enough to say and raise your hand and say, I know where my private data is.

I, my private data is just credit cards and it's in that server, that's my credit card server. So it's down there.

Of course, we all know your data, your, your credit cards are in simplifying this or in the credit card server. We know that o obviously the question we're asking and a regulator and best practice is asking, can you prove, have you looked to see if any of that credit card data has moved anywhere else in the organization? You'd be surprised to find out that shadow data lives all over the organization. And so that's what we're talking about when you ask yourselves these questions, ask yourselves these questions as what we call a devil's advocate.

Try to find holes in your answer and see if you can find those holes in your answer. If you can answer these questions and you can do a great job at it and really dig into these questions and, and, and have a solid, yes, I can do this.

Honestly, you probably have a pretty good data security strategy and say pretty good data security program, at least compared to a lot of other organizations. I don't find a lot of organizations that don't have appropriate automated technology. I don't find that they can really answer these questions. And so that's why I say if you wanna know if you really have a solid data security program, put yourself through this little test later on later on this year we'll be talking about some automation and technology that actually answers these questions for you. We'll come to that later on.

But for now I'm gonna hand it back over to Alexi who can take us through some of the, the questions that you might have. So Alexi, I'm gonna take it back over to you. Well thank you very much Terry. That was really a really interesting kind of deep down insight into what those imaginary capabilities I was talking about earlier are actually translating to from a technology perspective. Just to remind to our audience quickly that we do have some time left for a question that answers session.

So, but before that, let's just quickly run another poll. Just first we asked what, what, what did you know about data security platforms? And now we want to know like what has your perception changed somehow after this webinar? So can you please let our audience cast their votes? And in the meantime I want to add another bite or that food for thought that TE just presented. I specifically, I want to focus on this term data activity monitoring.

Terry, you listed it as a kind of a first bullet point in your presentation and I totally agree it's really important, but we have to think about it in a slightly bigger way than most people probably think. Data activity monitoring does not, is not limited to data base activity monitoring. Absolutely. That's like the biggest mistake you could possibly have made because as I mentioned, data doesn't exist in one place. Data is moving, data is being accessed, data is being transformed, data is being consumed like people by services, by apps, by APIs.

And at every moment and at every location in that big graph like structure or with a data life cycle, you have to know what's going on. But this is basically like the most important part of this data centric security concept. Because if you don't know where your data is, what, what it's undergoing at the moment, regardless where it's located in the database on the wire, on the, on the on, it's a way to a consumer or in the a p i in a web app, anywhere else in the cloud, you have to know what's going on. So in a way, data security basically covers the entirety of information security at all.

And either you have to do it this way, like the extensive way or you have to think about potential alternatives. Like for example, zero trust. If you can guarantee that your entire IT architecture is designed with only for you have allowed and closely monitored highways for your data, then you can of course focus your data activity monitoring only on those parties.

But you still have to know, you still have somehow to be able to prove that yes, this is actually, that your coverage is a hundred percent and that's probably like the most important question every auditor, every compliance regulation will be asking.

I think that's, I mean that that's, it's it's, it's a really, i i first off, I totally agree with you and I think that's one of the things if, if, if you, if you go back to like our, our very first slide and I know you know Imperva very well, you know, the other half of Imperva is what data is flowing over your APIs, which APIs have private data, right? It's, it's about understanding who's using my data, how's it being used? 'cause the reality is, is most data is going to be used by an application.

I mean at the, I mean it's gonna be used by a human or MO in many cases, but through an application. And so that's why I see a lot of these analytics and analysis that we do on the data security space and the app security space. I think at some point I'd love to see them come together and say, the reality is, is data is not just about databases and file servers, to your point, it's about the APIs and the applications and how do you have that unified view.

And I think that's, that's, that's positioned inbo well with a lot of our users because we do have that, that view from the front end all the way to the back end. I, I agree with you.

Right, right, Right. Okay, great. So let's close our second poll and quickly just kind of have a look at the results. So the first questions we asked was about familiarity of people with data security platforms. And I would say that only a tiny minority actually did not know what it is, which is great. So the awareness is here, which is great. We have like our 20% already having actually having the working implementation, which is really more than I have had expected.

But the second Paul has shown us that the vast majority of the PE attendees are wary of the effort and costs of implementing a data security platform. And I think that maybe you have not done a good enough job explaining well, the point number one is, well, you have to do it anyway. Doesn't matter how wary or scared you are, you have to do it because if you don't, you'll have much bigger and costly problems in the future.

And the second, which I guess is like more or less on your ground area, it's actually, if you find the right solution, it's actually much easier to do it as platform and a kind of a fabric approach, maybe from one vendor or at least from like one centralized management, policy management position. Then do it with a, with a, with a toolkit with this old school legal approach. So you should absolutely kind of stop worrying about it.

And actually looking deeper into our, the capabilities, I really are encourage everyone to read our leadership compass kind of to understand more of the different approaches vendors have to create the security. And there is definitely more than one approach, and I would not say which one I personally find the best because again, this is less of a technological choice and more, it's like even a religious approach somehow. Some companies just for example, want to put everything into one basket and one data base and one kind of stack. If it works fine.

Those who don't will inevitably face this whole zoo of multiple environments, multiple clouds, I would agree it would probably be the, the majority. So yeah, you have to look into those capabilities and you have to be able to, what's what's wrong with my screen? Let's not sharing it anymore. So you have to be able to not do it alone. You have kind of, and the vendors like in and others are the, and Analysts like, we are here to actually guide you on this way.

Okay, we still have some time left for questions, so can we please have a look at our questions? And the first one is interesting. How quickly can you analyze massive data stores like one petabyte to hire? You said, how quickly can you analyze what kind of data stores Petabyte scale data stores?

Yeah, I mean like, like anything, right? So an organization that wants to scan significant volumes of data, have to decide the impact of a very, very fast scan or a slow scan. What's the impact to your systems? The reality is, is a technology like ours can scan your system rapidly. Absolutely. But scanning a systems means io, right? We're gonna be working on that system. We're gonna be using the system itself to do some of the work to, to look at the data on there, whether it's a query the system, whether it's browsing a file share, what have you.

So the reality is, is is from a petabyte perspective, it can take some customers a week, couple of weeks, petabytes are a sign significant amount of data without impacting the business depending on the size of your file server. I've seen it take longer than that. Some customers say, look, I realize this is gonna take some time, but I only want to do it at night. It's kinda like filling up your EV and doing it at nighttime, right? I I don't wanna impact my business, so I'll do all the majority work really, you know, scanning my system, I'll do that in the evenings.

Again, that'll take a little bit longer. So the, the point is, is mileage may vary just like an EV or anything else in this case it's how much power do you have in your data store? How much are you willing to give to the scanning of that data store?

And again, you don't have to think too hard about it. A lot of organizations will just take the defaults, which is a nice medium comfortable scan, do it on, on a, on a lesser critical system, take a look at it, see if that works for you, and if so, then usually you'll fall somewhere in between in in between that range. And usually when we're talking about petabytes, we're talking about file servers, we're not talking about databases versus the, the size of the, you know, particular table.

Databases tend to get scanned significantly faster and easier than say a file server, which can take a little bit longer because of just the, the complexity of looking at different types of files. Of course one has to understand that basically to do data classification and discovery well enough, you don't actually have to scan every bite. That's right. I mean the obvious approaches are like, do a statistical sample like only scan 5% of your entire data store. If that discovery already finds some sensitive data, that's usually enough to make a decision.

Yes, we have to actually apply security controls to this data store. You don't have to look for every bite and so on. And then again, kind of, it all depends on a lot of business decisions or criticality specific compliance regulations in place. Or even like if it's your primary production environment or a test database, the requirements are vastly different. And a data security department has to have this flexibility to adapt to every kind of environment.

Ideally it also has to be smart enough to actually suggest specific level of rigor in that scanning that that's suitable for a specific environment. Yeah. Okay. Next question. Why isn't encryption enough for data protection?

Doctor, do you want to elaborate on that? Yeah, Absolutely.

Like I, you know, you know, we've been in the news recently for a lot of encryption stuff, but I think one of the interesting things about encryption is encryption is mandated by just about every cybersecurity data security regulation. You must encrypt your data at rest across the board, but why isn't it enough? It isn't enough. Because every single one of those regulations also says you must monitor all access to whatever sensitive data is relevant for that regulation. P I I P C I, whatever, you must monitor access to it.

So it's wonderful that you encrypted it because that's done and that's a requirement. But now you need to monitor every single user entity application, a p i that has the right to unencrypt that. And it might surprise you, but in a lot of encrypt encryption, especially on databases, you don't encrypt one table or one column or one row, usually you just encrypt the entire database, which means if somebody is authorized to access the database, they see all the data. So you still have to monitor access to it. Why is encryption not enough?

It's not that it's not important, it's critically important. It's, it's required, but there's other requirements that are equally important. And it's not a, can I do one or the other? It's the other Boolean expression. It's I have to do and I have to do both. And on top of that, there is more than one kind of encryption.

Even on a, in a sufficiently sophisticated database, there is like the disc level encryption and table space level encryption and row or based encryption. And you can even mask or like half of your credit card number in a way, like half encrypt a a single field. And they're all useful for different purposes, but none of those provide you protection against every kind of risk. And obviously if your data is in use, but at some moment it has to be decrypted.

Like if you are performing the actual credit card transaction with a third party payment provider, you have to tell them the real credit card number. You cannot just give them a a tokenized version. And as soon as your data is decrypted, you have more than one attack vector. It can be when hardware based attack, like those bugs in modern processors, it can be.

And so, which I mean the, the hackers nowadays are so sophisticated, they can, I don't know, they can monitor blinking of LEDs on your keyboard and steal your data through that channel, for example. If you are not, if you are only protecting your data addressed or in terms, that's definitely not enough. Okay. I think we have like one minute left for one final question. Which teams and what size of teams would run these products? Yeah. Yeah.

The, the short answer is almost always and, and almost is a really critical word because it kind of means the answer is it depends, but almost always is the security team. And that has changed over the decades here.

But, but today it's usually security who's going to be told usually by somebody else. Executives are otherwise to say what are we doing to solve this problem? What are we doing to go understand where my assets are? Usually it's the security team that this is going to land in their lap. Sometime there's a tangential organization, which is your G R C or compliance or otherwise, but usually it's gonna sit right there with those two teams that will, that will live with that.

I'll, I'll add because, because you know, it's Kuppinger coal and of course we're talking about Europe. Sometimes privacy will come into it and, and, and sit in there as well. But usually security's gonna own this technology and be the ones that are responsible for it.

Right, right. And on that I could only add, again, kind of, there's always the clash of expectations and reality.

Of course, in an ideal world, everybody within the company should be using it because it should be to everybody's advantage. Again, as I mentioned in my part earlier, an ideal data security platform actually doesn't just secure your data. It gives you solutions to real business problems or reducing data friction or giving access to analytics and stuff like that. So there will be a lot of stakeholders, a lot of consumers of the data that would be ideally accessing the same platform. Whether we will see it in real life at every organization.

It depends a lot on the, the tech, technological debt and legacy and processes and stuff. But again, we can only dream. Right.

Well, thanks a lot, Terry. Thank you very much for all the attendees who stayed with us till the end of this webinar. I'm glad you were with us. I'm looking forward to seeing you perhaps in the future webinar, and I guess have a nice day and goodbye. Thank you everyone.