Webinar Recording

The Perils of Today’s Approach on Access Governance: Start Protecting Data at Source

Log in and watch the full video!

Protecting sensitive, valuable data is a must for every organization. Ever-increasing cyber-attacks and ever-tightening regulations mandate businesses to take action. Unfortunately, the common approaches of IGA (Identity Governance and Administration) that focus on managing static entitlements for systems and applications fall short in really securing the data at risk. They fail in managing data in motion. They are static. They don’t manage the usage of data well. Not to speak of all the challenges in role management projects and around regular access reviews.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Welcome everybody to our webinar, the perils of today's approach on access governance start protecting data at source. This webinar is supported by Selo and the speakers today are GTA who CEO of Selo and me Martin equipping around principal Analyst at cooking a call before we start some quick information about what of the services call provides and some housekeeping. And then we directly will dive into the topic. The service I like to highlight today is our KC masterclass. We trust our launching the search topic. We have British access management. We have incidents response. We will right now start an IM essential master glass. This can be all interactive and remote. So interactive webinars, a lot of material, you get videos and other stuff to learn certification. And we optionally then have an all day glass from either or remote or inside, depending on what suites best to what you need and what suites best and the into the current time.
So we have some very interesting new offers here, have a look at these master glasses. You'll find, you'll find all the information, our website for the webinar itself, some information audio control. You don't need to mute you to yourself. You're controlling these features. We are doing a recording of the webinar. So we will publish a podcast recording usually by the day after the webinar. And we'll make also the slide X available short time. And there will be a Q and a session by the end of the webinar. However, you can enter questions at any time during the webinar, the go to webinar control panel, which usually is at the right side of your screen. There's an area questions. And in that area, you can enter the questions you have, the more questions we have, the more likely and interesting the Q and a will be at the end.
The webinar itself is split in two, three parts. The first part I'll talk about risk coping access governance, and about the role of data-centric security in future identity management and access governance. I also will have a look at regulations that drive the need for data-centric security. Following me with a Gupta of explore will compare data-centric security to other technologies and look at how to do data set security, right specific emphasis on the role of the human factor and approaches for efficient policy management. Finally, there will will be a Q and a as I've already said. So I will look at your questions you have and provide answers to these questions. Having said, this I'll directly Trump to the first line of my content. And I think this is maybe the most important in the sense of really talking about and looking at why this data and the core of protection.
So let's start very central with that. And when we look at data, whichever type of data it is at the end data is what we want to protect. That's a data protection or an information protection. If you distinguish between data and information, that would be a separate topic, probably making this distinction between these two things, but both data and information protection at the end. It's about how can we protect this valuable data, that valuable information we own. So, and the logical thing to do is protect data at the core. So look at what, how can you protect the data itself? A quick question to my team, I got two questions for the audios working. It appears that we might have an audio problem. 11, can you give me an indicator? Whether you can hear me
Okay. It looks that it works right now, then I'll continue. Data is at a core of the protection. So I started talking with, we need to look at data security because data and information is what we really want to protect. This is the essential thing. And the best way to protect data is really starting with protection at that level, protecting data at the core, that's the logical way we can add layers around it and we do it. We do it regularly. And it's a very normal thing to do. That means we can add a layer, which is about protecting our systems and their app, our applications. So all the access controls, we have role management, stuff like that is an additional layer, but it's not directly protecting the data. It's something we do do around it. And the it's not the core of the protection. It's an additional layer, the same holds through for network security, protecting people from fraudulent accessing systems. It's another layer and final device and endpoint security is again, another layer of this help us in information protection, but the logical place to start with information protection obviously is starting at the level of the data at the level of information. And when we look at this per added, from this perspective, it's apparent that data-centric security is the best way to protect our information.
When we look at it, then from a perspective of access governance, as it's usually done today, there are some, I would phrase some gaps. So access of many facets and access governance could be pretty broad. So if you look at how access governance could be defined, it becomes apparent that we could look at access governance for static access, entitlements and system services applications versus the runtime access. So those are facets of access, static, access, entitlements, runtime access. So when I access a system, when I often, when I authorize in runtime, these are again, two different things that is one perspective. The other would be looking at, which entitlements do I have both is in some way around access governance. It could be around structured data versus big data. So all the data like stuff versus unstructured data, different perspectives, different challenges. And we have this, let's start by the right, from access to the device, access to the network, access to the system, to applications and services, access to data and information again, that this is a perspective you could take around access governance privilege versus non-privileged access.
Then we have access policies. We could look at implementing these policies management, these policies, and forcing these policies and premise versus cloud, et cetera. It's a broad spectrum of access governance. But when we look at, and if you take this, it would be a picture, maybe some, something like that, where we say, okay, we have from the right end device network system application data, and we have some policy management and we have the deployment models and we have access management, which could be privileged or non. When we read from the left hand side, dynamic access aesthetic entitlements authentication versus authorization versus usage, a complex picture in the broad definition, access governance would cover all. And that should, what we just learned in the beginning include data governance. However, when we look at what access governance commonly does today, it looks a little bit like that.
It's the green area. So study entitlements systems and applications done very good on premises, done okay for the cloud. And all the other areas are not in standard governance approach of IGA identity governance administration, and specifically these two. So the columns number two and three, when we read it for the left hand side data structured, unstructured, that's not covered, but our main focus should be in protecting information, be best, do it by protecting information. So access governance. And so also access management. The way we do it today does not cover it at the level. It should cover our most sensitive assets, which are our data for most businesses today. This is the one of the most valuable assets of the entire organization. So that little focus is very narrow and we should broaden that scope. And that means we should move to an approach, which takes far more emphasis on data-centric security effectively.
We should move to an approach which covers all of that, an approach, which looks at all the areas here. So we need the policy management for access policies, across everything. We need, obviously cyber security technologies to protect access to devices and networks. We need a governance for, at the system and application level, but we specifically should put our focus on the green area. We should put our focus on data, access governance and data centric security, because that should be at the heart of what we do in access governance. At the end, again, it is about protecting the most valuable, the crowd tools of our organizations and doing that, that starts at the data at the information level and not somewhere in one of these sort of outer layers, such as the device, the network or applications and systems. That doesn't mean we should get rid of the other stuff we need all, but we need to take a broader approach on security with data security, being a core discipline of everything we are doing.
And that's also required when we look at it from an audit perspective, when we look at it from a security perspective and from a compliance perspective, which are different things. So compliance only means we are meeting the laws and regulations. We could even say yes, when we, we comply with that and audit only says, yes, we passed. We can prove it historically, but it doesn't mean that we are really safe and I've seen too much checkbox compliance in my life already. We need to move to something which really helps us and having a compliance or an audit track and saying, okay, yes, we've passed. It. Doesn't help us. When valuable data gets lost, it doesn't help us. It doesn't help us when data leaks, so we need to do it right. So we need to take the right actions.
What so doing things the right way, audit compliance are tightly related, but they don't make a secure, let's take the right actions. And that means, think beyond the track of saying, okay, we've passed our ISO 27,000 certification. We've passed our audits, whatever in the financial financial industry organization and guided checks, we should do it in a way which makes us really proof for the future. And that means we need to add data centric security again, because it's at a core. And there are also a lot of regulations which have some element of data-centric security already in, and there will be more, I'm absolutely convinced. We will see far more audits looking at these aspects.
When we look at the baseline rec not only regulations, but also the standards I 2020 7,000 there's matter regulations, the standard, but factually, it's not only asking for protecting the system. It's also asking for protecting the data. Look at these standards, look at these requirements. If you look at critical infrastructure regulations, then they are adding to that. And then there's all the privacy stuff. When we look at GDPR, when you look at CCPA and other regulations in that space, they are very clearly about data protection. They are about understanding where your data resides and protecting the data. So we need it here. And that's also where we see a significant uptake of, of data-centric security trust, driven by regulations, such as GDPR. And recently then CCPA, we have it as a business regulations. So business regulations are very frequently about protecting financial data and or intellectual property.
And then there are a couple of local and global ones. So there are many regulations. And many of these are focusing on data security. I trust listed a few. We trust recently compiled a list for, of, I think more than 100 regulations globally, which steel way, north of 100 regulations, which deal with data security requirements. So there are regulations everywhere, but it's not only about regulations. We should go one step further and say, we do it because we want to be safe. And before hand over to Michelle, I wanna quickly touch the CCPA and GDPR perspective where it becomes apparent that regulations require such a data centric, security approach. So, one thing, when we look at both of these, they are not, not as similar things. So there are differences. CCPA has a wider range of types of personal data, and they are redefined additional applications, obligations here you need to, to keep. And some things are different. Some things are strong on GDPR and broader some CCPA. So there will be more of these.
So there are certain role models. There are certain good examples of, of other countries following the entire thing. But when we look at what it means, then all of these regulations are around understanding your requirements regarding security, legal, regulatory requirements. You need to understand them, including the GDPR and or CCPA requirements. It's also important to give your customer the trust, the privacy, the customer expects and what you need to do for data that you have. And that's why I highlighted this, that you establish a sound data, privacy strategy that takes these requirements into account. So you need to understand where's the data, where's the centers of data. Where does it reside? That's one of the samples where it's about also data centric, security. It's about understanding where's the data, how to protect it, how to secure it, have a plan for implementing it and understand where it is, categorize it, classified information, and apply protection on that information.
And then obviously you have some things which are more specific around the standards. So put the right technologies in place, train your employees on that. And initially your data classification, recording process, depending. So forget about the date, depending on which regulations you look at, but latest right after that webinar. So do it enforce it. And this is one of the many examples where it's about, yes, we need data-centric security. Another good example is intellectual property and manufacturing organizations for manufacturing organizations. I'm, I'm from Germany, I'm from the south of Germany. And there are, there are many businesses which are more medium size to bit market, but they are global leaders in a very specific area. So they are high tech and obviously their corporate values derived from their knowledge about, from, from their technology, from their blueprints, from all these intellectual properties. And that's what they, what they, what are their crowd tools, that's what they need to protect. And again, they have a need for data-centric security because they can't afford losing that. So we need data-centric security and it's logical to start with data-centric security. And with that, I hand over to who will go more into detail here.
Thanks a lot, Martin. Appreciate that. Okay. Thanks a lot for the, for the background Martin, and I'll just jump right into, you know, what our experience at Selo has been around deploying building and deploying data-centric security solutions. So the first thing that comes to mind is why now, I mean, data-centric security technologies or the need for data-centric security for, for most part is not particularly new. The earliest versions of such technologies have been around for the better part of last two decades, 1999 timeframe. But there are a couple of reasons that in the last three or four years increase amount of interest and, and therefore increase amount of increase number of deployments, especially when it comes to large enterprises are being seen for this class of technologies. And there are a couple of external factors which are driving this. So the first one is increased collaboration with external agencies.
So most enterprise security postures focus on protecting data and making sure it doesn't leave the enterprise, but with increased collaboration, external agencies like vendors, partners, distributors, customers, lawyers, auditors, board members, and the list goes on as soon as information or data is sent to them, pretty much every enterprise security technology process breaks down. And the only thing which governs that data now is a non-disclosure agreement, right? And, and that's not good enough combined with that is even people within their enterprise are trying to are starting to work from anywhere from homes, any device, any network, any application kind of things increase amount of collaboration and data is moving to cloud applications, which presumably enterprise exercise, lesser control over Martin. You talked about the, the data centric nature of regulations. So is G D PR and, and these for data and regulations are catching up to becoming more and more data-centric.
And, and there is one kind of internal reason, which is that the technology itself has evolved significantly. A lot of prerequisites around this technology, which were not in place 20 years ago, have now over a period of time come into place. So for example, just basic identity infrastructure is a prerequisite for any data centric security technology to really work. And of course, course security and privacy policy awareness, right? So all of these combined together are creating what I call a perfect storm for data-centric security today. So before we go too far, let's just, let's just understand what does data-centric security really mean, you know, on the ground. So data-centric security at the core of it is an answer to these four questions who can access a piece of information. What can each of the people who can access do with that piece of information? How long can they continue to access it?
And from where, so you might have a forward looking financial statement, which can, which can only be accessed by the board and the external auditor. That is the answer to the who questions. People can only view and edit it and, and circulate it amongst themselves, but not copy it out or send it outside of the group, not take printouts on the likes. They can continue to access it until the time these results are published in the stock market. And let's say they can only access it within the European union, but not outside right now. All of this security policies are built into information itself. And, and that's really what makes this technology data centric, which is that these, these security policies are not applied to devices, network for applications, but they're applied to data itself. And the policies travel with the data, wherever the data goes, right?
These controls are very granular and you'll see some examples of what these controls look like. They're persistent, which means that in the simplest example, if I send you a document and then you make copies of it and you make version one to version two, and so on, these controls travel with the data and the last, but not the least is that these controls are remotely editable, which means that you can change any of the answers to who, what, when and where post distribution. Right? So that's one thing around making security itself, data centric, and attaching it to data other than attaching it to networks, applications, or devices. And then combined with that is data centric audits, which is not only can you attach the security policy, the who, what, when and where to data, but as this data is going around within the enterprise to external agencies and so on, you can also track and audit who did what with this information when, and from where, right.
So as this data moves around within the enterprise, goes to an external fabricator for a, for fabrication of a part comes back into the company and so on what exactly is happening to data through its lifecycle authorized access and authorized attempts are all getting captured and reported into a component. There are very interesting things that can be done around this, right? And, and, and just very quickly, this is what it looks like, right? So, so you can have control over who can access people, teams, what can each of these people do, and I'll scroll through where you and these controls can get really granular, including controls over screen capture, for example, or running macros in Excel and the lights, right? How many days, time based controls, IP address, location based controls and so on. And as this data moves, moves around within the enterprise, the, the, the lowest level of granular data capturing, and then aggregates of this data. So for example, high risk unauthorized activities, which might be for highly confidential intellectual property or forward looking financial statements or shareholder contracts and, and on can then be monitored so that it's not every piece of data is not treated.
This technology has been around for many of the kids as, as I mentioned earlier, but there have been reasons for its failure in large scale adoption. So the technology, the data-centric secure technology has succeeded only in very small defined use cases, but not for business as usual. And those small defined use cases, maybe, you know, merger or acquisition kind of scenario, where there's a very small group of people who are involved in, you know, very highly confidential activities and one. So at that scale, the technology has succeeded historically, but not for, let's say a hundred thousand people using it on a daily basis. And the biggest reasons for this are around user involvement. The challenge with data centric security technologies historically has been the need for an average user to be involved in a security process. And that's a big challenge educating driving adoption based on user enthusiasm and user awareness for any technology is a problem.
And for security technologies, it's an even bigger problem. This combined with the users, having to decide what to protect, what policies to apply to this piece of data that they're creating, or they're sending as an email. And so on, that increases the costs and the overheads of this combined with that has been user experience. So the technologies in this space have historically been format application, even operating system dependent. So what works for word and Excel doesn't work for PDF and what works for windows doesn't work for Android and the lights, right? So it's been, it's usually been very, very clunky user experience that has stopped large scale adoption of this technology. Now, combined with that is administrator level, overhead security teams are getting increasingly, you know, bombarded with more and more requests for tools and technologies. And what happens is that now data centric security is another tool which needs to be managed, which needs where security policies need to be defined and so on. And of course the user training and awareness piece has to be done. And this creates nonlinear administrative overheads, which go up exponentially as the size of the enterprise increases.
A lot of, a lot of technologies in this space also have hidden costs because of the, because of the format application and operating system dependence. What works for windows 10 will not work for windows seven. And, and what works for office version 13 will not work for office version seven and so on. So to the prerequisites for using this kind of technology increase so that you have to spend a million, a million dollars on upgrade before you can spend a hundred thousand dollars on the data centric, security technology itself, right. And the last but not the least is because data centric security technologies fundamentally are embedded into the data itself or document or email. And so on. There are many cases of other technologies breaking down. So deduplication for example, or content inspection technologies. And so on other technologies breaking down is a very common, has been a very common phenomenon in this space. And these are all the reasons that for the better part of the last 20 years, this class of technologies has not seen, you know, large scale adoption still about two or three years ago.
So in this context, what's the dream scenario for data centric security technology is the first one is to remove the user and administrative overheads through a process of automation, right? So this is almost like a driver desk car dream where the, the user and the administrator doesn't decide doesn't is not burdened with making decisions around what needs to be protected, what policy needs to be applied. And so, right, the car pretty much drives itself. That's a scenario and I'll come to, you know, how more recents in the, in this space have overcome some of these challenges and Aless is how, how can this technology be deployed without any change in the user experience? So if Martin is creating a document, saving it on his local computer, attaching it to an email and sending it to his, to the external fabricator yesterday post-deployment of this technology, he should ideally continue to do the same pro run the same process, and the technology should just work in the background, which means that it should work with any form of collaboration.
He should work on any operating system, any application, any format and so on. And it should also not force him to upgrade to the latest version of the application or the operating system, or, or change the workflow in any day. Right now, this is a dream scenario. And what has happened is that, that in more recent times, this dream scenario is actually playing out because a lot of technologies all combined together have been able to achieve this dream scenario without such that the user and the administrator can top worrying about this technology and are not burdened with making this decision. And also the technology works without any changes in user experience right now, before we go ahead a little more into talking about those, you know, what, what kind of innovation has happened in the last couple of years specifically, let's just look at what really drives the need for this kind of technology.
And Martin already covered that earlier in his, in his, so the first general plus of reasons that enterprises adopt data centric security is data protection itself, right? So enterprise already about inside a threat, you know, what, what happens if somebody emails a document, a confidential document across application data. So for example, what happens if I expose my applications to the external agencies or even to internal users, and somebody downloads a highly confidential document from SharePoint or, or somebody extracts a highly confidential report from SAP DLP extension. So for example, DLP technologies typically govern the data only till it is within the enterprise, but you want to extend controls of the DP system outside of the enterprise IP protection. The example that Martin gave email, of course, being the dominant form of collaboration. And so the general class of data protection as a driver, the next is external collaboration, right?
So whether it is external applications, so you are worried about, you know, data going to the cloud or data going on personal mobile devices, people are working from anywhere. And again, it is very difficult, nearly impossible to control locations or networks or devices. And so on, a lot of data goes to, you know, external agencies outsourcing and the general class of third party risk. So there is one set of drivers here, which are around data protection. There's a third, second set of drivers, which are around all around as enterprises, lose control of the infrastructure, whether it's the applications going to the cloud or the devices becoming personal, or the networks becoming public, how does an enterprise still secure and control this data and the last, but not the least dominant reason for adoption of data-centric security is all the rec privacy and security regulation, which are coming up. And every four letter combination is, is a security regulation or a privacy regulation somewhere in this world. And, and Martin already talked about that, but today things like the right to forget protecting customer data before it even comes, comes to the enterprise. And so on, those are big drivers where enterprises have no option, but to take a data-centric approach to secure.
So in an ideal situation, what a data-centric security architecture looks like is data needs to be discovered and, and tagged, and then rights management, which is, which is once you've discovered and segregated data into this is this is public information, and this is highly confidential intellectual property. And, and maybe there are, there are shades in the middle then appropriate security policies, which are, which is the answer to who, what, when and where needs to be applied to each piece of data, right? And last but not the least, there is, there is data centric audits, which will now monitor. Once the data security policy has been applied to the data. And as the data goes around within or outside of the enterprise, there are dashboards which, which can monitor what is happening to the data. And it can reveal very, very interesting trends around how this data is being consumed, authorized terms and authorized terms and so on.
But very, very important in this scheme of things is that data-centric security is not an island, whether it's an element of I infrastructure or as a part of the general security posture of an enterprise. And therefore in our experience, what is very important is for any data-centric security technology to work very well with the existing it infrastructure of an enterprise. So this could, this is typically data repositories. So this could be repositories of unstructured data like SAP, for example, on an online banking system, the transactional backbone of the company. And these could also be repositories of unstructured information like file servers and SharePoint and box. And, and so on, irrespective of what is the nature of that repository of data, the, the data centric security infrastructure just needs to work very well with the existing technologies. The, the second thing is messaging and collaboration, of course, email being the dominant form, but there are other messaging and collaboration tools, project management kind of tools that are coming up and, and the data centric security technologies need to work with that end point and other security technologies like DLP, for example, single sign on identity and last but not the least the insights that data centric security technologies get like who did, what would this piece of data when, and where is very interesting input for all the security incident and event monitoring as IEM kind of technologies, but in general, any kind of security analytics that is performed has to start incorporating what is happening to the data itself.
Cause that's probably the most important piece of information that an enterprise can have, right? So in an ideal situation, the data-centric security infrastructure, which combines, you know, discovery and labeling rights management and data centric audits needs to work with all these existing security existing it infrastructure that is typically already there within the enterprise.
Now modern day technologies have come around this historical challenges using two key mantras. One is automation. And the second is what we call S right. And let me talk about these two separately. So we talked about the challenges that that user and administrative involvement has, right? If a user is supposed to decide what needs to be protected, what policy needs to be applied and so on, then chances are that if there are, let's say a hundred thousand people within the company, then a hundred thousand people need to be enabled, trained to make these decisions. And that becomes such a big awareness exercise that the project almost never takes off. Right? So, so one option here is for example, the user is to manually protect the documents, the emails document, whatever piece of data that they're, that needs to be protected, but there are various levels of automation.
So a piece of data can also be protected as soon as it's extracted from a system. So a report coming out of SAP, for example, or as soon as it's placed in a specific folder on a file server or a SharePoint location or, or box and, and so on, or as soon as it is discovered by a DLP system, or as soon as it is emailed and so on. So there are various events in the, in the history, on, in the life cycle of the data, which can trigger automated protection without a user taking the initiative. And if you, if you just, if you just translate this into, you know, what are the levels of decision making that the user has to do? Right? So the first thing is the user has to decide what to protect in a day. The user might be sending lunch invitations to his, and may also be dealing with highly confidential intellectual property.
And historically the older solutions have got the user to decide what needs to be protected now with newer solutions. And secular is part of this category. We have newer age technologies have been able to get around this challenge and get more and more automation around DLP systems, SB systems, for example, or even a transactional backbone system, like ERP, making a decision around what data needs to be protected. Because for example, SAP already knows that this report, which is being extracted contains highly confidential general ledger data, and therefore it should be protected, right for that. No other input is required. And a user user decision is not required in this case. The second is who should have rights or who should have access to this piece of information. And again, this is, and what rights and policies need to be applied. And this is again, not a new question, a file server or, or SharePoint, any form of collaboration.
There, there are already access control policies defined, and those same access control policies can be applied to this data when it flows out of that system. Of course, there are, there is combined with whatever these rights and policies are not static. So as a piece of information moves to a workflow, their rights and policies can change. And therefore, number one, how to evolve these policies and then what all this audit data that is coming in, right, who did what with this information, when and where can also be overwhelming information for the user and therefore integrations with security, analytics, tools, SIEMs, and systems, and so on, can take over that function. So overall, all the things where a user needs to be involved historically have been removed with modern day technologies. The net effect of this is that, whereas historically these solutions were dependent on people to take initiatives with all of these integrations and automation.
These, there are jumps in this adoption that can happen. So for example, the day the system goes live, all the documents in SharePoint can get protected. And a week later, all the documents in all the file servers or share or box folders, which are, which are enterprises using gets protected. And two weeks later, all the reports coming out of the CRM system, which contain customer data can get protected. Now, all of this is happening without end users taking any initiative. And that automation is the key aspect of making this kind of technology as success, right? From a cost of ownership perspective, the biggest line item of cost is the administrative overheads and the user enablement support fees, right? Historically, and with historically that's what has been the, the, the cost factor and the overhead that has stopped large scale adoption. But with all of this automation, these administrative and user overheads have re have been reduced down to the minimum nearly zero in most cases.
And that's what is leading to large scale success of this class of technologies. And combined with this automation is this whole concept of anys where the technology works for any format, new operating system. It doesn't require an agent to be installed. That's very important, is very friendly for external users. So for, for example, if, if, if there is a customer, if there's an enterprise who's using a system that enterprises customers should not be forced to, you know, jump through hoops or download and install agents for them to, to get access to the data and, and all in all, it means the native experience of working with data should continue. And these goals of automation and, and what we call anys have been achieved in, you know, in modern day technology. There's a lot of innovation that has happened in this space sector itself has brought in most of these innovation that has happened in this space, eh, to enterprise, you know, enterprise dollar over the world. Yeah. So in conclusion, I think I'm a minute away from my time here in conclusion. What I would encourage everybody here to, to look at is number one, take and data centric approach to security, because very quickly, you, you are going to be out of options of how to secure and make sure that the data demands private. And the second thing is for any large scale deployment of this technology, focus on automation and any desk.
Thanks a lot. I'll close that. My talk Martin, back to you,
Thank you Al for this insight provided all the information. Let's directly start with the Q and a, and I already have a couple of questions here and to the audience, feel free to enter additional questions. So the first question I'd like to start with is the question is definition of classification of your data is an important step. How many levels of classifications would you create and how would you deal with personal data not used in a corporate capacity? So for instance, personal data used in personal communication, Michelle, what is your precision on that?
I break this problem down into two parts. Number one is data that is being created by, by users, by end users themselves. And, and over there, it has to be something really simple. I won't go anywhere beyond five, even five is a stretch. Typically I are advised to most enterprises is to limit the classifications of data down to three, right? But the same answer for system generated data is very different because systems the example that I was running earlier, that systems like SAP or SharePoint already know what is the confidentiality of the data and number, and number two, who should have even access to this data. So system generated data or system extracted data can be very, very granular without having any overhead for the user. So for example, and maybe I'm repeating here. If the, if I already know that the CRM system is exporting reports, which contain customer data, I can, I can very granularly classify that data to customer data, which, which this report contains customer data. And this customer data is related to customers in Germany, for example, and this should be covered under GDPR and so on. Now, I don't need any user to tell me because I already know all of this data. So user generated data, very simple, three to five levels of classification system generated data or system extracted data can be very, very general hundreds, thousands of classifications, and, and none of these, the user needs to be aware of
Okay. Thank you. Another question here is, do you recommend a big bang approach to deploying data centric security, or should it start with specific use cases?
I think the, the, for most enterprises, the choice of the technology has to have a vision for large scale deployments so that the choice of the technology itself cannot be driven by one or two use cases. However, the deployment itself should be, you know, one or two use cases, whatever is the hotspot at this point of time, and that hotspot can change and evolve over a period of time. So, so today's problem might be customer data, and let's say intellectual property protection and, and maybe tomorrow's problems can be board communication and, you know, and something else. So these use cases can evolve, but the, the choice and the, the vision has to be big.
Okay. So there's another question. Do you think data centric security can be used to replace other security technology? So when we look at these circles, I started with, at the beginning with data centric security being at the core, should, should a company have all the layers, or can they replace something when shifting to data-centric security? What is your perspective on that?
It is, it is data-centric security, typically replaces a few other security technologies, which are out there, but not all. So, so the quick answer is yes, it can be used to replace. For example, I, I can talk through a couple of use cases for, for example, one of the largest customers for Secor, their main concern around allowing personal mobile devices was not really to govern the mobile device itself. As much of it was to the data which is going on the personal mobile device. And in that sense, as the enterprise was able to make sure that any data reaching that personal mobile device is C protected and therefore the need for a traditional mobile device management, mobile security kind of system went away. Now, this is not to say that that what data centric security does, will replace everything that a mobile device management kind of technology does. But if the use cases such that the, the primary objective is protecting data, then it can replace.
Okay, one more question. We have let's pick the last one. What kind of scenarios drive the initial use of data centric security?
I kind of answered this question, you know, towards the end of my talk, but I would broadly classify this into data protection initiatives, third party risk, where enterprises are worried about data going to external agencies of all kinds, and of course, security and privacy compliance kind of norms. Now, second and third are kind of obvious here. You're worried about data going to Excel agencies, and you are worried about some kind of regulatory agency coming after the enterprise, but the first one, which is data protection initiative, that is very broad. It could be intellectual property protection. In one case of, again, one of our customers, it is, it was just to prevent insider trading because forward looking financial statements were being leaked and that information, that leaked information was being used to trade on the company stock. So those kind of use cases can also drive data centric security, adoption.
Okay, great. It looks like we don't have any further questions. So with that, thank you very much to all attendees of this today's call webinar. Thank you to you, Richard. And Tolo for supporting this call webinar. Have a nice day. I'll hopefully see you soon at one of our onsite events or one of our virtual offerings we have, including our webinars master classes, etcetera. Thank you.
Thanks a lot, Martin. This play.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Erfolgreiche IAM-Projekte: Von Best Practices Lernen

Häufig beginnt die Suche nach einer Identity-Lösung mit einem ganz konkreten Schmerzpunkt im Unternehmen. Ein nicht bestandener Compliance-Audit wegen überhöhter Zugriffsberechtigungen, technische Probleme, wegen komplexer Systeme frustrierte User und eine…

Event Recording

The Role of Managed Security Service Providers (MSSPs) In Your Future IAM Application Landscape

Trying to “do identity” as a conventional IAM or Security workload with in-house resources and vendor platform deployments may not satisfy identity and access today’s requirements for IaaS, PaaS, databases and other cloud infrastructures. There are now a growing number of…

Event Recording

The IAM Fabric and How It Integrates With Your Cybersecurity Program

Architecture, operating model and governance are key viewpoints for every business as a whole and its subdomains as well. Depending of size of the organization, information security may be managed as single domain or divided into multiple subdomains. Viewpoints and domains are still static…

Event Recording

Identity Management and its key role in the Zero Trust strategy

Since any resource access is subjected to a “Zero Trust enabled” step-by-step process, where  policy engines define and enforce the appropriated access level, apart from device, network, identity systems and resources, we need also a “ZT enabled” identity…

Event Recording

Expert Chat: Interview with Neeme Vool

KuppingerCole CISO Christopher Schuetze engages in a fun discussion with Swedbank's Neeme Vool on what the future holds for Identity and Access Management.

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00