(Big) Data Security: Protecting Information at the Source

Well, good morning. Good afternoon. Good evening. Maybe ladies and gentlemen depended on where in the world you are at the moment. Welcome to the first day of summer. And of course, to another call webinar. My name is Alexei Alexei. Balaganski I'm the lead Analyst Analyst at call. And I am joined today by cherry Gable, who is a vice president of business development at Axios. The topic for today is big data security, protecting information as a source, and please pay attention to those brackets around about be. I will explain them a little bit later. This webinar is supported by axiomatic.

Before we actually begin a few words about keeping a call. We are an independent Analyst company. We were founded over 13 years ago in 2004. We are based in VIBA in Germany, but we have quite a substantial international reach with people from, with people around the world, from us to UK and Germany, of course, to Singapore, Australia, and even Philippines, we offer neutral advice, expertise of leadership and practical relevance for end users and vendors and integrators and other companies in the areas such as information security, identity, access management, risk management, and compliance.

And of course everything around the digital transformation. Our three primary business areas are research where we publish regularly the most up to date and independent research and advisory type of materials on various new it trends and products and market segments. And so on. We organize different events ranging from free online webinars like this one to major international. And then what they say, international recognized conferences like our flagship event, the European identity at cloud conference, which we just had a few weeks ago for the 11 time in a role.

And of course we will be having our multiple other events this year. Again, I will talk about them a minute later. And the third pillar of our activity is advisory. Meaning we support your company's projects or in different areas. I mentioned security, IM GRC and so on, and we help to make your business successful in the era of digital transformation.

So again about our major conferences this year, we'll be having our whole tour, the world tour in the area of consumer identity with three conferences in different locations around the world, starting in Seattle, in September, going to Paris, France, of course in November. And finally, as far as to Singapore in December early next year, please expect our new just recently launched our event called next generation marketing executive summit, somewhat new topic for us, but there is a lot of potential. So keep an eye on that one.

And finally again in February next year, we'll be having for the second time, our digital finance world conference ever since around FinTech and modern financial industry. And of course you can always find more information at our website, a few guidelines for the webinar. You are all muted central, so you don't have to worry about it. We control all this features. This webinar is being recorded and we will publish it as a webcast on our website usual the next day. So tomorrow, and they will, of course send each one of you an email with a link.

Finally, we'll be having the Q and a session at the end, but please, I urge you to submit your questions as soon as possible you to the questions tool which you have on your go to webinar control panel as early, as sooner as you do it, the more chances are that you have your question answered at the end as usual, our agenda is separated into three individual parts. First I, as an Analyst will kind of try to set a stage for the topic we are going to discuss today. And that means outlining the actual problem field.

So to say big data security outlining the challenges and modern it trends and kind of setting the stage for the second part where Jerry Gable will present a more in depth view or on the problem. And of course, we'll explain the, the way his company is offering a solution for that problem.

And again, at the end, we will have a Q and a session. And with that without further do let's start with the content. And first of all, I guess I have to explain why we have those brackets in the title. So why big data written like that because, and I have to make a terrible concussion. We are not actually going to be talking about big data security today. At least not in a way you probably expect, but please stay with us. This still will be interesting and you probably learn, think or two at the end. So bear with me.

First of all, we probably have to look back and think again, what big data is anyway, the whole topic, the whole term has appeared as early as in 1990s. So it's all 25 years old already. It was never actually a business related concept, a purely a set of, I would say it workarounds for managing huge and complex data sets, which were two complicated for traditional software back then to deal with this incorporates various technologies for storing, analyzing, visualizing huge dataset are usually poorly structured and to data of pure quality and try to find some value in it.

Of course, big data is a, is a field of data science S whereas powers, whereas scientific and technological methods like data mining, business intelligence, and the latest fed machine learning.

But basically it all boils down to the whole, the so-called three vs model, basically big data is data, which has huge volume, high velocity, meaning that the data is constantly being updated and new data is constantly being fed into the storage quote unquote and finally variety, meaning that the data quality and the data structure is way too poor to be handled in traditional ways like, you know, relational database and too many people or big data is nowadays is just buzzword because everything has evolved so dramatically in the last 25 years.

First of course came the cheap commodity hardware, and then the readily available data, big data management frameworks like Hadoop. And of course, a demand for finding value in various huge data sets is growing steadily.

Again, machine learning is such a crazy fed nowadays, but still for many people, big data is basically that pile of information we store in our classroom. And this is really the biggest mistake people can make when thinking about big data in general and big data security in particular. So this is why big data in our title is written that way. Now fast forward 2017. And this is our favorite slide, which we usually show in almost every webinar.

The preferable digital transformation has changed the way businesses operate so profoundly that basically nowadays, everything is connected when we are talking about the industrial revolution point, oh, or it means that businesses are no longer using digital information as a mean to kind of simplify or optimize the business process. Digital information is just the essence of many modern businesses. This is where they find the value in this, their most heavily guarded and heavily protected crown jewel.

So to say, and the data is everywhere. It's constantly on move between the on premises and cloud and mobile devices and news things of the internet of things frame, and all those subjects are currently communicating either directly or on behalf of the people and people, of course, nowadays involved, not just employees, but partners, customers leads you name it. Now that that also means that I think we traditionally continue to call corporate it.

Infrastructure is actually now spreading far beyond the company perimeter, and it's just so complicated with different device types and platforms and it systems which can be anywhere in the world and partially no longer controlled by our it departments and so on. And this basically means that each of those are listing, each of those are data storage silos, be it a relational database or big data in a had cluster or anything file storage cloud.

Anyway, you name it. It has its own data model has its own security controls. It has its own technological stack and all this have to communicate in real time. Otherwise our business is just grant to a hold and of course we don't want, we cannot afford doing that. And this is why on the next slide. I would like to show you that these are the major technology drivers, which are pushing forward, our modern businesses.

This of course our favorite computing track of mobile cloud and social computing during recently was two younger cousins, the internet of things and the newborn cognitive technologies. And down below, I've listed just a few of recently favored technologies, which power those drivers. So to say it's a consumer identity management or the so-called know your customer movement. It's a big data as we traditionally the standard it's of course the blockchain, oh, nothing, nothing can be mentioned nowadays without having the blockchain, the APIs, the glue that holds all the things together.

And of course, microservices the approach. It helps to ensure that all your huge it infrastructures operate as much as possible. The tiny bits of logic, loosely, coupled windows, APIs, but more important thing. We have to reiterate again, that all these things are interconnected. They all have to talk to each other and they all have to speak the same language and more. They also have to I between themselves as well. So all this leads to hugely increased complexity of modern it world. And basically we have to deal with it somehow.

And the technology problem are only further complicated by compliance nowadays as more and more sensitive, modern business and personal and legal meaning sensitive information is stored digitally, not just in premises, but in the cloud or anywhere else. More and more compliance regulations are heavily influencing the, the further development of our it infrastructures. It's of course a it security related standards, which I have listed in this frame.

The industry specifically regulations like HIPAA for healthcare, PCI DSS for retail and financial institutions, SOS for finance or no like a critical infrastructure for energy companies. And so on each major country has their own regulations. And of course are the dreaded global regulations are looming over us, the GDPR, which everyone is so scared of coming basically next year and the PSD tool, which will have a major influence on payment systems and banks.

So in the world, big data security is the way we traditionally think about it is just so insignificant compared to the actual scope of the problem we have to be dealing with. So on this, on this slide, I included a picture. My colleague Martin kopi had used in one of his earlier presentations to illustrate the perceived complexity of big data security. So this is basically a very rough diagram of a typical again, cluster you have a number of databases are relational databases and non relational ones. You have an unstructured file storage.

You probably have some external shares, connected, some applications, some framework for running parallel computations on that. So basically you have a lot of individual components which were designed without any security in mind and all those infrastructure components speak different languages. And you probably have already 20, at least 20 different security tools in your corporate infrastructure to protect your basic network and endpoints. And what now you have to deploy 10 additional ones to take care of all these individual components.

And they even have to play together crazy complicated, right? But even if you manage it, is it really an end to end security?

Well, I have to disappoint you. No, it's not big data. As I mentioned this, definitely not by far, not just Hadoop on this ugly diagram, I have tried to deliberately make, as complicated looking as possible is basically a sketch of a typical infrastructure. Typical it infrastructure, modern company is dealing with sure, you have your big data on premises, but you definitely have, or maybe having other databases and big data and storage and websites and APIs and cloud applications in the cloud. Maybe you have an industrial network where you have to deal with robots and machines.

Maybe you have an IOT infrastructure collecting data from huge number of sensors. And of course you have your partners and contractors who have to have external remote access to your infrastructures. You have your customers, you have your mobile workers and you have other stuff out there and all these components have to talk to each other. And each of those interactions of each other only partially managed to draw as arrows. Each of these interactions has to be protected. So in the world, big data is definitely not Hadoop. All your data is big data.

And how do you even start thinking about it, how to protect it in a reasonably I'm complicated manner, because just trying to tackle each of those errors individually, you, you simply don't have enough resources for that.

Well, there is one fundamentally different approach of the so-called data centric security I've outlined those four principles or, or on the slide or principles were formulated 10 years ago by security researcher named rich mogul, which basically look simple instead of focusing on protection, hundreds of infrastructures and interaction points between them by not just protect your data itself as a source sounds easy. Right? But for that, your data must be self-describing and self-defining meaning your data must be smart in a sense. So why isn't all your data smart?

Because it just isn't, as I mentioned earlier, one of the typical issues with big data is that it's very stupid data. It's very low quality. It's very unstructured. So how do you make it smart? How do you manage to apply policies and control across all those layers, formats and data types and ensure that this policies stay effective when data moves and transforms from structured to structured between applications and so on. How do you ensure that this policies work consistently through the different layers?

Well, you have to invent something, you have to wrap your stupid data with a smart layer. So to say, there are various approaches to that task. And we've talked about some of them earlier, for example, the information right management, if each of your data can be placed in a tiny container and with the policy attached to it, then this piece of data could be traveling around and stay protected regardless where it goes. Sounds great. Why is it not universally adopted yet?

Because it requires support from applications and besides your Microsoft office and Adobe reader, not many applications supported. There is of course, homomorphic encryption in theory, great technology to allow to keep your data encrypted all the time, but still perform operations on. It sounds good, too good to be true. Cause it is, it's extremely complicated and still are mostly academic research. But of course there is the third topic and this is the one we will be talking. Now we're talking about now it's APM, the adaptive policy based access management.

The, the idea is basically you have to externalize all access control of all your data from each application, from each data source and somehow manage it centrally. So your application develop is no longer need to care about it. They can focus on business logic and somehow the access control will happen magically by itself. It must be centralized, meaning that you only have one place where you define your access control policies.

And they just, again, magically apply, been applied across inte it systems and somehow trans translated and transformed to fit the specific security and it requirements over specifics it system. It has to be dynamic meaning that each decision whether to grant access to a certain piece of data to a certain actor is done in real time. And of course it's influenced by various different context pieces so-called attributes. So it's not just about static roles like we usually had before.

It's really about multiple attributes, which could, could range from roles again, or some it criteria or business criteria like or where in the world the user is currently located, which type of device he's using or how risky is his device or from the point of view, often endpoint security solution and so on. And so on all this attributes influence the final decision. But most importantly, it has to be adaptive, meaning that regardless of which type of it system you are dealing with with applications, APIs, database, you name it, the approach is universal.

And to us easily accessible to be applied to new systems, which can be added later. So it has to be abstract enough or to allow different technical solutions to the same problem. And to this is actually what we are going to be talking about today. And this is what Jerry Gable will be talking about in a minute. But first I would like to summarize the key takeaways. So to say from my part, so all your data is now big data, big data is no longer something which you hold in your ha cluster.

And the traditional siloed approach toward data protection is no longer working simply because you have too many silos, which are no longer under your complete control and they all too different. So data-centric security in, in theory and adaptive policy based control. Practical implementation of the theory are the key factors in reducing that complexity. Sure. This does not solve all security problems. You still have to protect your endpoints. You still have to patch your windows, computers. You still have to monitor your network security. And by the way, think about it.

If you have a modern and fancy security intelligence solution in your company, that solution probably has a big data silo inside it as well. So how do you protect that one?

Anyway, it, a major paradigm shift shift in thinking about security. And this is exactly where I would like to give the stage to Jerry and he will be talking about this in much more detail on Jerry the stage at yours. Okay.

Thank you, Alexei. Thanks very much. Appreciate that.

I, I appreciated your, your comments in setting up this webinar. I wanna welcome and thank everyone for attending today. Thank you very much for your time. And we'll continue the conversation here, hit some of the same topic areas that Alexei covered and give some of our, our perspectives from, from Maximas point of view. Also I'd like I appreciated the, the rich mogul reference there that's. That was awesome. All right.

So what I wanted to talk about is also some, some of our views on the, the current challenges and trends in, in protecting data, regardless of where it resides and how to address some of these requirements of, of balancing between the security complexity that we are facing that Alexei described, but also how to operate in a very agile business world these days, both in commercial and, and public sector organizations. And then we'll, we'll talk about how attribute based access control, I guess that's our acronym for APM adaptive policy based access, you know, same concept here.

Talk about how that technology, that approach can be used to deal with securing big data systems, as well as data, regardless of where it resides in also protecting other kinds of resources and infrastructure in your environment. So I wanted to start out by sharing a few different quotes that, that I've had with organizations in just in the last few weeks or so. So this first one here, we plan to centrally manage authentication and course grain authorization centrally, right? And then leave fine grain authorization for applications to handle.

I guess that's a fairly common perspective that organizations have at least traditionally or historically, we'll see, in on the next couple of quotes where, where some of that attitude is changing, but some of the results here, okay, each of the application teams are gonna devise their own way to address authorization. They typically don't work together on these things. And then any commercial application that you utilize, whether it's installed OnPrem or, or SAS based, it's also gonna have its own access control and security model.

And so what happens is we, we really see the audit teams and the Infosecurity teams suffering because they're the ones that have to deal with access review and compliance. And they, it, because the, the fine grain access is built into the application, it's difficult to have enough visibility and transparency into what's what's happening there. And then of course, as policies and rules and regulations change that often means we need to change the application code, which is quite expensive and time consuming to accomplish.

So here's, here's another quote from another organization. And this is also a very common scenario these days that we are looking to over looking at our overall API and microservice strategy today course screen access is done by groups also roles typically. And then the application does the rest in the future.

However, we want to unwind this hard, coded, secured logic and manage it centrally. So this is a very common scenario, very common discussion topic we get into with, with clients and prospective clients of axiomatic and in their case as is also very common. An API gateway is a key component to the strategy.

And we, they were describing that auto in compliance drivers are very important to them in particularly because they're financial services company across border privacy regulations were high on their priority list. And they, they felt like as a result, they would have still several layers of security, but they felt they would have stronger security in each of those layers, if they could start to enforce some of their policies further out from the application.

So more along the network edge, rather than letting, maybe illegitimate access down into the application, and then finally rejecting those, those access attempts. So here's an another quote from a government organization. So they said, well, all shared the data access will be processed by the centrally managed data hub and the associated authorization service. I think this ties in well with what Alexei had been describing, having, you know, one way to deal with, with all data.

And it was definitely their approach that they wanted to protect the data at the source, apply the policies right there before the data was, was consumed either by, you know, an internal person or, or an external party. And then this way, their security and compliance, and as well as their privacy requirements could be addressed, could be handled by this centrally managed policy service. So interesting how the, you know, these are the kind of conversations we've been having and, and continue to have with, with, with organ organizations.

Then we also wanted to talk a little bit about some of the trends we're seeing, and it's amazing how much of an era of disruption we are living in. So I'm, I'm based in, in the us.

So I'm, I take a us perspective on some of these things. So it was interesting very recently to find, to hear that Tesla from a market capitalization point of view is worth more than a GM or Ford, which is pretty incredible based on the number of vehicles that each of them create.

Now, of course, companies like Toyota or VW Daimler still much, much larger, but it's amazing how new entrance into markets can be so disruptive. And this is even in a, in a time of, you know, abundant fossil fuels and, and energy.

So it's, it's interesting to see some of these dynamics and then Amazon, we often think of Amazon from an it perspective as a disruptive cloud provider, but of course they are such a disruptor in other markets like in retail, as for example, nine retailers have filed already in 2017, filed for bankruptcy and financial analysts are looking at potentially another 10 retailers that are in danger of filing also in 2017. So just incredible disruptors that are happening these days. And when we look at trends, you know, some trends continue from previous years.

It's not like we have new trends to discuss every year, but as Alexei said, you know, to be buzzword compliant, it's hard to have a conversation without talking about some of these technology trends, which I'll I'll touch on in subsequent slides. Although, like I say, I did, I do not address blockchain here.

So I guess I get a, a Dememer for that, but we also talk about these trends, excuse me, in the context of a digital transformation program or project, because that's the real business initiative that's driving the adoption of some of these newer technologies, you know, the, the requirement, the demand to become more digital as an organization, whether you're a private sector company or a government ministry or agency, you know, the idea to truly enhance the customer experience or citizen experience to take the friction out of getting information or conducting business operations is, is really that the driver behind a lot of these technology trends.

So when we look at each of them individually, we'll, we'll look at some of the perspectives from an, from an application perspective, but also from an access control and security perspective. So we, we see so many organizations now that are, that are taking a cloud first approach, you know, particularly for, for new application development.

And it's morphed from being a platform, not just for infrastructure or the platform itself, but even now to get database capabil as a service, you know, and the major major players here are Amazon Google, Microsoft, of course, others having a big, big presence include IBM Oracle. So everyone is racing to be a cloud provider. And from a platform perspective, I think there are fewer concerns about the security, but still we have to think about, okay, how do we protect the application content? How do we protect the data?

Now that's residing in the cloud potentially as a, as a data service, you know, potentially even as a big data service there. So like say had some comments about big data.

Of course, it's a very much more of a commodity capability today, much cheaper to acquire and maintain than some of the traditional relational database products, historically speaking. And we see so many applications using big data systems for it, the purpose of determining analytics or analyzing the data, you know, there's so much work now, so much research and investment into algorithms so that we can analyze trends, monetize data, do predictive and analytics and so on.

And also it was clearly not limited to had, although had systems have a large footprint here, there's many other systems like Mongo, Cassandra, and so on. And we see the, the pace of evolution and innovation here, you know, changing quickly. So it's hard to keep up with all the changes in, in the big data space these days now, APIs in microservices.

I, I bundle them together here because they're typically, you know, talked about in, in, in conjunction. And, and this is certainly the most popular approach for developing new applications these days, as well as for example, implementing APIs onto legacy applications to make that functionality more available to modern computing or it techniques. So I think we also have to consider what this means for identity and access management tools or digital IAM.

So we, you know, we, as security vendors have to think about making our products API available, or microservice container ready to, to, you know, accommodate the, the rapid development and operations model, which is on the next slide here, you know, the DevOps model of, you know, continuous development, continuous deployment, where we see a number of, of organizations looking to adopt this kind of approach, you know, which compared to many years ago, when I worked in central, it, you know, we had three or four or five major implementations of changes per year with lots of testing and integration work in between.

Now we want to be able to have a more continuous model here. And again, we have to look at our security infrastructure, our identity and access management infrastructure. Can we operate in a similar model at a similar pace? So definitely things we need to think about as, as vendors in this space. And then internet of things is, is emerging as well as a factor, as a requirement from an authorization perspective.

And the, the two areas that we see being most appropriate from an authorization perspective are the different gateways and API services between the different intermediaries that Alexei described earlier. That is, you know, the, the gateway that's managing the devices themselves and, and collecting data, and then other systems that are sharing that data, accessing that data, maybe analyzing it. This is where we think it's appropriate to start to control the flow of information between these different functional layers in an internet of things kind of deployment.

And what we've seen in, in several conversations is it's interesting where you can with where you can end up co-mingling different kinds of data in these backend systems that now either represent significant business value from an intellectual property perspective. So we wanna protect that accordingly, but we also may introduce privacy concerns, fly by cold mingling and collecting data from different systems.

And, and then therefore we need to address those privacy issues as well. So, you know, again, why are, why are organizations embarking on these digital transformation projects?

Well, again, it's so much of it is about customer experience and getting a competitive advantage over others in your industry. And we're seeing this across private sector, as well as the government sector, as they all attempt to become digital businesses and keep up with, with this latest trends.

And, but as I pointed out earlier, you know, digital transformation typically is an amalgamation of several different technologies, you know, IOT plus big data plus APIs and microservices to access this information. So we need to think about all of these technologies being melded together, but that also creates some additional complexity that we have to deal with and address and, and attempt to manage. So I think that was an important factor that Alexei say pointed out earlier. And I'd like to close this section w with another quote was reading some, some stories out of Australia.

And I found this interesting quote from the general manager of digital identity services for Australia post. And he was detailing the organization's ambitions for its identity platform. In this case, it was a, you know, digital identity platform. So he was saying he was referencing a study that Australia post did, which indicated that solving the digital identity friction will unlocked 11 billion of economic value each year for Australian consumer's businesses and governments. So that's a, a fantastic metric here. And I think it gives you a little bit of insight into the, the potential.

And in this case, they're just talking about the, the digital identity platform, not even the, the, an overall digital transformation program. All right. So moving on to the next test section here, I want to talk about how we can address this balance that we need to maintain here of providing the business agility while also addressing and attempting to deal with the complexity of this security requirements of these, these modern it systems. So I really enjoyed Dan Bloom's presentation at the recent European identity conference.

Another was another fantastic event this year, and Dan has done some research recently on, on authorization, on addressing different issues here. And he, he used a number of slides here, and I've just stolen a couple of, of graphics from, from him. So he was calling out the, the issue that authorization being implemented in each application or service leads to a lot of the complexity that we've been talking about as well as other negative consequences, like inconsistent, inconsistent security complexity of, of the operating environment and so on.

So he, what he described in this graphic was that, well, each application within your custom app or your core application suite would have an individual policy decision point in each application. And then you have some kind of data feed that distributes data to other downstream consuming applications, which they themselves also have individual policy decision points within them. So that was part of the complexity that he was pointing out from an operational perspective.

And he proposed, well, there could be a dream scenario where authorization is centrally managed that within each application, you just have a policy enforcement point installed, which would be able to query some centrally managed policy decision point, which has its centrally managed rules library. Okay.

That's, that's great. That's a nice dream scenario. We would say, you know, from an, you know, an optimized scenario perspective, that there are certain principles that we could adopt here that we agree authorization should be externalized from the applications, from the services from those data systems managed centrally, but of course you can logically or physically distribute some of the enforcement, the, the decision making and the policy administration. So you don't, so you can address the needs of different lines of business or different geographic regions.

And these systems should be a dynamic and flexible being able to adapt to a wide variety of application or, or data systems that they have to accommodate a number of different functionalities. And we actually introduced some years ago at EIC, this notion of an anywhere authorization architecture.

And you can see a little bit from the graphics that it, it is rather dated, but we agreed with these concepts here that you could have enforcement points within different applications, whether in your data center or in the cloud, that you had some kind of gateway that could also act as an enforcement point, intermediary, you can see back in the day, we call them XML gateways. Now we call them API gateways, and then you could have some centrally managed decisioning and policy management infrastructure to tie together these different distributed it and application environments.

And then we also, we extended this and call, we call that another principle that you should have an authorization architecture that can deal with the, any depth within the typical application structure, you know, from the web single sign on, through the presentation, tier the APIs and the business levels, and then right, right down to the database itself, relational databases or big data systems.

And we think an optimal deployment approach then is to have these enforcement points, whether they're proxy based or, or code based that can deal with APIs, microservices, relational databases systems, big data systems that can be E externally managed from a central authorization service.

And you get the most leverage from this kind of approach because you don't have to change the application code of hundreds or thousands of applications, but you integrate your authorization service at those key key mitigation points, you know, at the API market service database and big data level to get the kind of, of consistency and central management capability that, that Alexei a pointed out earlier, and that we feel are be benefits from an AAC or attribute based access control approach.

So you're not managing the access control within each of those databases or APIs from microservices, but we can centrally define those access policies, centrally enforce them as well through standards like exact mold, the extensible access control markup language. Because with this approach, you can be flexible and adaptable to the different kinds of resources and infrastructure components that you have. They're very dynamic and context based. So you can incorporate risk scores from the authentication process or from other risk based engines into an access control model.

That gives you a, a lot of, a lot of comprehensive coverage here. And I think allows you to simplify some of the complexity behind, you know, the backend it infrastructure. And I did wanna point out some examples for big data specifically. I know Alexei say hinted that he wouldn't be focusing so much on this, but I wanted to take a couple moments to, to describe how this approach can be implemented for big data. So why would we do this well, like other data and resources, we want to be able to enforce access control before the data is consumed.

So we, we don't want to do post processing of data to mask it or redact information or filter data. We want be able to do that right at the source.

And again, this is a great way to get leverage over lots of applications, you know, hundreds or even thousands of applications that are accessing the same data source. And you can utilize the same policy language, the same standard-based policy language to protect this kind of data as you do for other kinds of resources. And of course, it's part of a, a centrally managed system.

So what, what, or what is the basis for how this works? Well, it's actually rewriting the query to the database. So you're applying the policy before the data is even accessed within the system. And it's interesting to point out that this query rewriting functionality has quite a long history. One of my colleagues, Pablo John Biji was doing some research on this recently for another presentation.

And the concepts actually came up from Michael Stone breaker and, and Eugene Wong way back in the early seventies, Oracle and their virtual private database, P D introduced some of this capability to rewrite queries in 1998, followed more recently from IDM and Microsoft. And then with, within the big data space for a sequel on Hudu implementation, Apache ranger, or, or the record service allow this kind of functionality as well. So we can actually use AAC principles and capabilities to rewrite queries.

So we can use that same policy language for the big data world as we do for relational databases and protecting your, your APIs and microservices. You don't necessarily have to have a deep knowledge of SQL because it's, it's a rather, rather, you know, fixed environment is a contained space to do an implementation and you lose, you use this same consistent approach across relational, big data APIs and other services. We think there's a lot of benefit to taking that sort of approach.

Alright, so to wrap up here, so we have a few minutes for Q and a.

So what I've talked about here is an approach to deal with the, the complexity of this digital transformation world, where we have so many new technology trends to, to address and to manage where we can apply, you know, a or a, a principles to give you authorization at any depth of your application infrastructure, both on-prem and in the cloud, dealing with authorization, regardless of where your data, your resources are stored and apply this across the main mechanisms for accessing this information, you know, through APIs, through microservices, database systems and big data, and have a consistency of policy management across these resource types and a consistency of access enforcement across those resource types.

So with that, Alexa, I'll pause and hand it back to you to moderate Q and a. Okay, great. Thanks a lot for in depth continuation of, of things I mentioned earlier, I think that kind of worked great together and yes, indeed, we are going to have some time for Q and a session. So please submit your questions or some the panel, the flow, or right. Part of your screen on the go to webinar, just sorry, on the go to webinar console and yes, we already have, the first question is, so how complex your policies can actually be, for example, can you address something really?

So high level business related as a GDPR compliance, for example? Oh, absolutely. Like I say, with, for example, the exact mobile policy language, which we implement within our, within our environment, it's a very, very rich language that can incorporate the context of many different scenarios. So a lot of information about the users themselves use, so you can incorporate their location, their cost center, title, their role, and, and then compare that to similar information about the resource.

So in, in banking environments where you're dealing with, you know, be customers in a multinational scenario, you can incorporate the location of the client account, what branch office they're assigned to the citizenship of, of that client and incorporate privacy rules for those kind of cross cross-border privacy scenarios. So we see that as a fairly common pattern for our customers.

Okay, great. Well, let me just break for a second for, to answer one short question. Yes. We have both by engineer slides available, can already download them from our website from the same page where you have registered for the webinar. And to go back to that question, can you maybe describe shortly at a customer case? So a real world scenario?

Well, absolutely. So maybe a before and after situation, we have a banking customer who, who has asset management application, where could, you know, before implementing, you know, the APM or AAC approach, they actually had three different code bases, source code bases for, for the application, one for the us, one for Europe and one for Asia. And then they further made individual modifications to implement privacy rules for access to client data wi with an, a centrally managed authorization service.

They're actually able to manage now one application source code base, and the logic for the access control based on regional privacy laws and regulations is managed within the security infrastructure within the authorization infrastructure rather than directly in the application. So this is a huge benefit from many perspectives. It's less costly to manage the application code itself.

And also they're, they're able to adapt to changes in regulations more easily, and more quickly, as you know, GDPR is a huge issue now facing many multinational financial services companies and, and other kinds of organizations. And then from an audit and reporting perspective, they have one place to have detailed analytics and reports on who has access to what data from the centrally managed authorization service. So that would be one, one example, Right.

And I guess kind of the most beautiful part of it is that as soon as you manage to have the whole infrastructure in place, then kind of adding, covering additional applications is just becomes easier and easier. Right. That's true. Like any that's true, like any system there's some initial effort and cost to deploying the functionality and then each subsequent application or service gains the benefit and, you know, leverages that initial investment. Right. Okay. Next question. Any progress with exec editors since GDPR is about lots of users and their self-serving content consent?

Yeah, that's Sure. Sure.

Well, that actually is addresses a couple of different things. When I hear that question one from Maximas perspective, we've devoted a lot of our, our research and development energy over the past several years to improve the, the policy editing functionality. And we have a couple of different options available that, and, you know, can follow up with us on, but we, we definitely focus a lot of our attention on the ease of policy management policy authoring.

And we, we think we've made some great strides there in, in recent years. A couple other points though. One is that once you create, once you author the policies, we generally find that they're fairly stable over time.

Albeit, you know, when you do need to make changes, it's obviously easier to do that in the, in the central system than in, you know, hard coded application logic. But secondly, like say when I think about the consent information, I do think that that is best managed outside of the authorization service.

So, so the authorization policies and rules actually become a consumer of that consent information. So whether it's an in PSD two where you're setting preferences for who can access your, your banking information through those APIs, or in other scenarios of controlling consent to access personal information, I believe that in that is best managed and, and say a consumer identity access management system or, or in some application profile management.

So it's the same interface that, you know, those consumers are familiar with using, and then the authorization service is just able to leverage and enforce those consent preferences at runtime. I think that's an optimal way to think about, you know, say implementing a GDPR consent information scenario. Right. I don't know if you feel the same way about that, let's say, Yeah.

I mean, or you are absolutely right to, this are to almost unrelated. So to say, or at least scenarios, which there was less absolutely can play together, especially if everything is implemented as a standard, like, like is a standard, or basically we have standards at standardization efforts around consent, like U a for example. And of course there are lots of vendors offering some almost tone key solutions for that type of, for example.

So it's, it can all play well together. No problem. Great. Next question.

Are, can you implement segregation of duties to, for instance, approving a transaction, someone initiated? Oh, absolutely. That's a very common scenario for us. And it's one that's difficult to implement just with a role based model, because for example, if I'm, you know, a manager in a company and I can have the, I have the authority to create, say purchase orders, and I also have the authority to approve purchase orders for payment, but maybe there's a business rule that says, well, I, I can't approve the ones that I created. That seems like a logical separation of duty example.

And so this is a very easy to do because with an AAC system, it is a rules based system behind the scenes. And, and it is one of the powerful capabilities where you can compare well, who is the owner of this purchase order. And so I can prevent people from approving one's purchase orders that they have themselves created. So that's something that's very common in the requirements that we see and, and quite easily implemented in a, in an aback system. Okay.

Well, we really have just a couple of minutes left or, and already more questions, sorry. Already more questions that we could possibly answer about. So let's take one, the last one, and for the rest, we could just connect the individual people, asking it directly to you so you could answer them, but email, for example. So the last one for today is can you add multiple policies for instance, one that would grant access to data and then one that would prevent people from certain locations or devices to access that data or, or even complete blacklisting.

Yes, yes. So yes, to all of those. So you can have different rules for access that are, you know, negative or positive rules. You can have whitelists or blacklists incorporated into the, the rules. And there's also a precedence. So if you have different rules that naturally conflict, you know, I can access data.

So I'm, I'm a us citizen. I can access us person data when I am located in the us, but I, if I am induc or with you, then I cannot access that data. So you can have those kind of structures within your policies and the, you set the precedence for different rules that might conflict to have the proper outcome.

So yes, that's a very natural scenario that we see and can implement. Okay, great.

Well, I'm really sorry to say that we have a few pretty technical questions left, but unfortunately no time to answer them. So I would urge people who ask them just to write me or Jerry and email and drop those questions directly to us. And we will forward them to appropriate technical specialists to would definitely answer them better than at least I could probably Happy to do that. Absolutely. Yeah. So thanks a lot, Jerry. Thanks a lot to all attendees for being with us today in this webinar. I hope to see you in one of our future webinars again and have a nice day. Thank you everyone.

Bye now.