In this Help Net Security podcast, Ben Herzberg, Chief Scientist at Satori, explains what DataSecOps is, and illustrates its significance.
Here’s a transcript of the podcast for your convenience.
Hi, I’m Ben Herzberg, Chief Scientist at Satori. In case you don’t know Satori, what we do at Satori is streamline data access and security with DataSecOps. We’re simplifying and securing data access to data stores, such as Snowflake, Redshift, PostgreSQL, and others. That means for example, things like allowing easy self-service access to data sets, approval workflows, security policies on data access, and more.
Today we’re going to talk about DataSecOps, what is DataSecOps and why it matters. But before speaking about data, let’s have a fast recap of what happened with application security when the industry moved to CI/CD and DevOps.
And so, in the past, applications were sitting in data centers until they started to gradually move to public clouds. This accelerated development and enabled CI/CD, which meant creating products with faster and smaller iterations in a very agile way. This drove innovation and is one of the reasons we enjoyed such a great leap in technology, especially around applications in the last decade.
However, the DevOps revolution also created gaps in security. Companies that were used to a more controlled software development life cycle had to adjust their security as well to the new continuous and agile deployment. This drove the philosophy or methodology of DevSecOps.
The same is happening with data. Data is moving to the cloud or, better phrase it, data is already largely gone to the cloud. I’m not talking about data that’s tightly coupled with applications and moved with applications, but even the larger data stores used for analytics, data science and such use cases. I’m talking about the data that’s stored in data lakes and data warehouses.
The majority of enterprises either already use public cloud data warehouses or have concrete plans to move data to public cloud data warehouses, such as Snowflake, Redshift, BigQuery and others.
An important driving factor in data usage is that more people within the organization are using data in what’s called data democratization. Once access to data was limited to specific teams like BI or otherwise, it was very limited. And so with data democratization, more teams are consuming more data.
There is a widespread use of data for uses such as analytics and prediction by all teams. For example, sales, customer success, and other teams are now actively seeking new data within the organization or outside of the organization to help them achieve their business goals. This means there are both small data consumers, but also more producers, and data that is continuously changing and it’s much more agile in nature. This leads to organizations having a DataOps methodology.
There are of course, some slightly different definitions of DataOps, but according to Gartner, DataOps is the collaborative data management practice focused on improving the communications, integration and automation of data flows between data managers and data consumers across the organization.
The impact of DataOps adoption by organizations is a more streamlined data service which supports the data related value propositions and is an enabler for data use as a business enabler. So, having a more continuous data life cycle with more rapid changes sounds familiar, right? From DevOps and applications.
I think it’s pretty clear that what happened with DevOps is the same as what’s happening with DataOps. Operationally, the business must use its data in new ways, which means more people who put data in data stores and more people who read this data or need access to this data.
As we learned from companies diving headfirst into DevOps, we can’t allow DataOps to come without security bolted into it. In other words, without DataSecOps. DataSecOps is an agile, holistic, security embedded approach to coordinating of the ever-changing data and its users, aimed at delivering quick data to value while keeping data private, safe and well-governed.
Let’s discuss some of the principles of DataSecOps.
Number one, always prefer continuous and gradual processes to ad hoc projects. As data is changing rapidly, the data privacy and protection are also fast changing. You don’t want to go for large security and governance projects that are losing relevance fast and gaining risk until they’re done. As an example, a fully blown mapping and analysis of data access permissions, which often takes a lot of time and may change quickly, is less desired and quick incremental changes in data access are preferred.
Security needs to be bolted into DataOps, not an afterthought. This means building a cross team, ongoing collaboration between security engineering, data engineering and other relevant stakeholders, and not just at the end of a big project. This also means that the security of data stores needs to be understood and transparent to security teams.
Number three, in the ever-changing data world, and with limited resources, prioritization is key. You should plan and focus on the biggest risks first. In data that often means knowing where your sensitive data is, which is not so trivial, and prioritizing it much higher in terms of projects and resources.
Number four, data access needs to have a clear and simple policy. If things start getting too complicated or non-deterministic around data access permissions, and by non-deterministic, I mean that sometimes you may request access and get it, and sometimes you may not get it, you’re either being a disabler for the business data usage, or you’re exposing security risks.
Last, number five, last but definitely not least, access to data should be fast and simplified while not compromising on data security. Now, this sounds challenging or even conflicting, but managing to do so with clear data access workflows and policies and things like that, will get your company quick value from data while maintaining a low level of security risks.
DataSecOps is in its early stages. I’d be happy to work with others on expanding DataSecOps and making sure organizations adopt DataSecOps and keep data secure while deriving value from it.
If you’d like to learn more about DataSecOps, you’re welcome to contact me or you’re welcome to visit our website, satoricyber.com.