Paying attention to data privacy and security is no longer optional. From a mega breach at Equifax to emerging regulations such as GDPR, data security is driving both today’s headlines and the IT initiatives of tomorrow. Join us for a fascinating discussion on how data privacy and security have evolved in 2017—and what to expect in 2018.
Hi everybody, thank you for joining us for our first webinar in our Data Privacy and Security Webinar series. My name is Alexandros and I am the Product Manager at Delphix responsible for all things security. I am here along with my colleague Matt, our Director of Product Marketing here at Delphix.
Today we are very excited to be doing our Data Privacy and Security Year in review where we go over the top 10 security trends we have seen develop in 2017 and discuss some of the predictions we have for 2018. This is the first webinar in a 4 part series that will cover topics like “Why your approach to Data governance needs a major update”, ” GDPR and what is means for you” and well as a demo of the data masking service in our Dynamic Data Platform.
Just a quick glance at the agenda for today. First we will take a look at the top security trends of 2017, dive into the prediction for 2018 and finally give you a small glimpse of Delphix’s Dynamic Data Platform and how we think about data security.
With all of that’s said, lets jump right in.
So what are the top trends of the last year? That is a great question and it is one that Matt and I spent a fare amount of time thinking about through out the year. The trends we have identified here are based on a experience we have with our customers, discussing security trends with security experts through out the industry, as well research done by highly respected security analysts.
Matt, do you want to dive into our first trend for 2017?
Trend #1: Data risk is becoming more and more decentralized
Enterprises have never had data in one place, and there have been few enterprises that have truly standardized against a single data repository type or technology
BUT in 2017 and across the last few years, we’ve seen an explosion in not just the types of data sources that enterprises maintain, but we’ve also seen growth in the number of locations or environments where those sources reside.
If you go back 15 years, to 2002
There was really only one public cloud vendor – Amazon Web Services
There were a limited number of RDBMS systems seeing heavy use at an enterprise level
And Software as a Service was still in its infancy
Fast forward 5 years you start to see more options pop-up
2012 sees the emergence of Big Data as well as the 3 key cloud service providers – Microsoft Azure and Google Cloud in addition to AWS
By 2017, companies are starting to truly adopt big data systems and the cloud with these technologies reaching maturity
Enterprises have significantly more options for for storing and managing data
At Delphix, when We talk to our customers they have requirements to support multiple database types and clouds – they all have data in hybrid environments and offsite and this data needs to move from place to place.
Our customers who keep data in AWS, for example, may also have data in Azure and have requirements for portability across these and other clouds
Data is increasingly spread out over multiple locations and, correspondingly, your data risk spreads and shifts as it moves.
This is only made worse by the simple fact that enterprises have more applications and more data
The average enterprise-level company in 2017 maintains 483 different applications, with each production application associated with multiple copies of its underlying data
IDC says that by 2025 there will be 163 Zetabytes of data, with enterprise data being the fastest growing segment of all types of dala
The second trend we’d like to highlight is the Increasing importance of data security for cloud migrations
First off, we know that cloud adoption is accelerating at an impressive rate
Cloud spend is growing at a 30% compound annual growth rate
The growth of the overall IT market is driven by demand for cloud technology and services
And the biggest companies in the world have concrete plans for cloud adoption that they’ve announced to the world
A shift is currently well underway
While today’s enterprises have application portfolios mostly on prem, they’ve clearly signaled their intent to move down this blue line in this chart here to reach a point where the balance of their apps are in the cloud
And to achieve this shift, they need to solve data security
When enterprises are surveyed by analysts and systems integrators, security is cited as the #1 barrier to adoption – Forrestor, Gartner, IDC, and Accenture have done research that all point to security as one of the greatest concerns ahead of a cloud migration project.
And at Delphix we see this as well. When we ask customers about their cloud adoption challenges – the first thing that comes up are their requirements to secure their data before they even think about moving it to the cloud.
https://www.accenture.com/_acnmedia/Accenture/Conversion-Assets/DotCom/Documents/Global/PDF/Dualpub_25/Accenture-cabu-position-paper-cloud-concerns-us-web%20(1).pdf
Great, thank you Matt. Our 3rd trend is that organizations are realizing that encryption is simply not enough. This is another one of those trends that is very tied to some of the other macro trends we have discussed like – data becoming more decentralized and the need for data for cloud migrations.
For a long time, it seemed like the notion most organizations had about data security was that encryption (whether or data in flight or at rest). What more organizations are realizing though is that it is not that simple.
Encryption has 2 main advantages/use cases that it is very useful for. This first is when sending data between 2 parties like an email or a file sent over the internet. The other is when protecting your main production data at rest.
But where it really not effective is in non-production use cases where the number of users who need access to the data is much broader. These non-production environments are especially vulnerable to phishing schemes where hackers attempt to obtain user credentials to access the data. For these non-production environments, other methods of securing your data like data masking have proven to be much more effective and useful. We will talk a little bit more about what data masking is a later.
The 4th major security trend is another important one that I think most individuals involved in security can sympathize with. What we have seen in 2017, and honestly in the last several years is that there simply are not enough security professionals to meet the needs of organizations. And this problem is becoming even worse as time goes on due to several other trends that we have already talked about. For example, the fact that data is becoming more decentralized across different clouds, SaaS services, and types of databases means that security professionals need a broader sense of skills around these different data sources.
A second reason that there simply are not enough security professionals is driven by the fact that security has become front and center for almost every organization. Every organization is afraid to become the next Equifax, Target, or Uber – and they are raising the expectations they have of their security teams. This means more stringent security procedures and launching launching larger security initiatives – all which have a need for skilled security professionals.
So how big is this problem really?
Well we believe the problem is very large and will only be getting bigger. A recent study by ISACA reviewed some interesting statistics. The believe there will be a a 2 million global shortage of cyber security professional by 2019 and that cyber security job growth will outpace overall IT Job growth by 3 times.
An even scarier stat is that over 80%of organizations they surveyed believed that less than half of applicants who applied for open security jobs were qualified for those jobs.
Trend #5: There is a growing constituency of Data Consumers who use data to drive new projects and innovation: this includes developers, testers, analysts, data scientists, and more.
Today’s companies are increasingly driven by software, and decision-making depends more and more on sophisticated data analysis, making more of today’s workers dependent on having access to data
In 2017, the rise of DevOps, cloud, IoT, and AI means demand for greater volumes of data, faster
At Delphix, one of the things we’ve noticed is that we’re interacting with more and more customers who are building an organization dedicated to managing data. Sometimes this org is built around a Chief Data Officer and is composed of both data operators – folks like DBAs, InfoSec personnel, and other stewards of data – as well as different types of data consumers– folks who derive insight and drive change through data.
At Delphix, we do like to point out an important dynamic that’s emerged with the rise of the data consumer.
On one hand, you have this quickly growing constituency of consumers who need access to data at faster speeds
On the other hand are forces driving to constrain data, restricting access and availability:
Data is doubling in size and in complexity.
It’s spread out over many types of repositories
It’s also very risky: Sensitive information is vulnerable to breach and subject to regulatory measures
These 2 opposing forces create what we call Data Friction: data operators struggle to manage, secure, and deliver data environments demanded of them. And users are still struggling to access, manipulate, and share the data they need.
As we look to the future, a key theme will be solutions designed to eliminate this friction to speed up data-driven innovation.
Great, thank you Matt. Next, we are going to dive into a few security predictions for 2018. 2018 is going to be a very exciting year for the security industry. We expect to see a significant amount of innovation coming from organizations and even governments.
Lets lump in right in.
Our first prediction for 2018 is the growing importance of Machine Learning technology. At this point this is probably a technology you have heard up because of its growing importance in many industries.
Now, we hear machine learning in the headlines all of the time now a days, but really what is it. At a high level, its actually pretty easy to understand the technology. There are basically 3 major steps in most applications that use machine learning technology. Frist, is that developers develop algorithms that are built to recognize patterns when you feed them data and some kind of classification. After that the algorithms or machine can look for patterns it has already learned in the data. Once it encounters a familiar pattern it can make some sort of prediction about the data.
A great example of of this in the security industry is several companies that are building applications that monitor things like network traffic to identify patterns outside the norm. These abnormal activities in network traffic could mean some active security breach in progress.
But we believe we are just at the forefront of really understanding the impact machine learning will have on different industries, including the security industry. In 2018 and beyond we will see the most innovative companies beginning and furthering injecting machine learning into their solutions to make them better and provide more value.
Machine learning really is a game changer.
The GDPR is a relatively new, European Union-based regulation that sets strict limits on businesses that collect, use, and share data from EU citizens.
Companies—EU-based or otherwise—face new requirements that compel them to redouble their efforts to protect sensitive information.
Again, GDPR impacts not just companies based in the EU, but any global business that stores or traffics data related to EU citizens.
To comply with GDPR, companies need to adequately secure confidential information that directly or indirectly reveals an individual’s identity.
GDPR also sets standards around breach notification: For certain types of breaches, businesses are required to report the incident within 72 hours
GDPR punishes businesses that fail to leverage appropriate protection. The fine for non-compliance can be harsh: as much as 4% of global revenue, certainly enough to jeopardize ongoing European operations for any business selling in the EU.
And There’s a May 2018 deadline for compliance….
We predict that many organizations will not fully have their houses in order by this time, and that buzz around the regulation won’t subside come May.
IDC says the 87% of CIOs believe their current policies leave them at risk under GDPR and that 58% of survey respondents believe that their companies will be fined under GDPR.
As the law becomes enacted and as the first few organizations are fined, we believe urgency around GDPR will grow for organizations that believe they do not fully comply. This will be the wakeup call that the EU is getting serious about data privacy.
Next, this brings us to our third prediction. This third prediction is that governments around the world will follow the EUs example and develop additional and more stringent data privacy and security laws.
This map just shows some of the data protection laws that currently exist around the world or are currently in the process of being implemented. Expect more of these to pop up through out 2018 and also become more strict and far reaching. We are already seeing movement on this for 2018 with the new proposal in the US congress to mandate huge penalties and possible jail time for organizations/indiduals that do not report data breaches.
Our fourth prediction is that we will see the continuing rise in the prominence of the Chief Security Officer within organizations. This is going to be especially true for any organizations that are impacted by GDPR due to the fact that GDPR required by law that someone be named a “Chief Protection Officer”.
Some stats to demonstrate this trend are that in 2017 65% of organizations around the world had CISOs which is a 15% increase from 2016. Expect this number to increase even further in 2018 as organizations look to put the responsibility of data security on a single executive.
Prediction #5: A major data breach will hit an organization in 2018 with a non-production environment as the site of the attack.
Breaches in both the private and public sector have cost millions
That’s just considering the breaches that have made the news – but there are many more that go undiscovered for months or years
Customer churn, fines, reputational risk—those are all the real dangers of data breach
I think these ideas are well understood by this audience.
But what is surprising to some is the important of protecting non-production environments as it relates to breach protection
A key insight we have at Delphix around data security and privacy is that where businesses are most vulnerable is actually not in live production environments, but in non-prod environments for development, testing, reporting, or analytics.
In fact, most of the surface area of risk for data breach is situated in non-production environments.
Much of this is due to the data sprawl that we see in today’s enterprises
For every copy of prod, businesses create 10-12 copies for non –prod and this sprawl multiplies the surface area of risk
Making matters worse, these environments are often less scrutinized from a security perspective, putting businesses at risk and suggesting that the likelihood of a attack on non-prod is high.
At this point, I do want transition and say a quick work about Delphix
At Delphix we provide a solution that integrates data masking and data delivery, to solve data privacy & security challenges, and we call this solution the Delphix Dynamic Data Platform
Our platform installs on-prem or in the cloud and iingests data from various sources– oftentimes this is an RDMS such as Oracle, SQL Server, DB2, AWS,
It virtualizes that data, allowing users to create lightweight virtual copies that are space-efficient and highly portable
We can automatically apply data masking to those virtual copies to protect sensitive information
Finally, we package those virtual copies into personal data pods that are delivered to end users in just minutes.
Data pods contain secure, virtual copies of data along with data controls that allows users to manipulate that data: users can instantly refresh, rewind, branch, or share those copies as a self service
I mentioned data masking earlier
What a masking solution does is that it transforms sensitive data values – names, email addresses, social security numbers, credit card numbers – into fictitious yet realistic values
The key here is that we scramble the data in a way that’s irreversible, secure, and yet intelligent. The data is still usable after its masked.
So if you’re a developer, you often don’t need the actual information resident in the data, but you do need that data to look, feel, and operate like the real thing.
In this example here, Mary is masked to another name Clara and John is masked to Damian.
We do this very quickly and in a way that preserves the referential integrity of the data.
Again, in his example, Mary is masked to Clara consistently, across the Oracle tables and the SQL Server tables. This is a really common requirement that we encrounted at Delphix.
I referenced how Delphix integrates data masking and data delivery
And that’s really the key to making masking practical, effective, and repeatable.
There are 2 challenges that masking solution must address: that’s creating the masked data, and then moving it where it needs to go.
Most masking solution only address the former, leaving teams to manually deliver data to downstream environments, a process that in most organizations takes days, weeks, or even months.
Delphix, though, lets teams mask their data, then provision virtual copies of that masked data in minutes and as a self-service.
With the Delphix Dynamic data platform, you can pull in your production data, mask it with referential integrity, and then deliver as many secure copies as you need to non-production environments that, otherwise, represent a huge security risk to your organization.
A little bit of background on Delphix
We’re based in Redwood City, CA outside of San Francisco and have over 350 employees led by a world class executive team.
Over 300 global customers use our Dynamic Data Platform, including over 1/3 of the Fortune 100
Just some of our customers are listed here
These are companies that aren’t just using in a small corner of their business, they are truly standardizing on our platform to increase the agility of their operations, ro protect their most sensitive information, and to comply with the world’s toughest regulations such as GDPR.
With that I’d like to
Seed questions
Don’t cloud vendors like AWS already have data privacy solutions in place. Will those solution be sufficient to protect cloud data? (M)
Alerting, monitoring solution, encryption, access control measures
Single governance platform across clouds. Most organizations
Environments accessible to more data consumers – insider threat, use case where you’re giving access to someone
What are some best practices for launching a GDPR compliance initiative for a US-based company? (A)
What data sources does Delphix support? (M)
Does Delphix use machine learning? (A)
Why can’t we use encryption to protect test data? (A)
How can we leverage Delphix with cloud services? (M)
Does masking our data make us GDPR compliant? (A)
On average, how long does it take to implement Delphix masking? (M)
Are masking tools used to secure data for BI/reporting? (A)