Getting Data Protection Right Across Dynamic Hybrid Data Environments

Data security and privacy have always been a concern for organizations. Unfortunately, the concerns about ensuring data security and privacy are often less than the concerns around using and monetizing data. While everyone may be cognizant that a data breach could result in financial loss, brand damage, operational disruption, and compliance ramifications, they are equally aware that data is the heart of organizations’ successes. Companies have a financial stake in both collecting and using data and protecting it from unauthorized use. Yet, organizations' needs to provide employees authorized, easy, and quick access to data often trump the implementation of security protections that may limit potential for harm.

Over the years, as the number and size of data breaches continued to mount, law makers and regulatory bodies have decided to step in and mandate better controls around data access and use. The EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are just two of the most well-known examples of how states are attempting to minimize infractions against consumer data privacy.

But regulations and laws aren’t enough. Controls around data access must be implemented. Doing so, however, has historically been at odds with the speed at which users and their businesses require access. Having led product teams at Incapsula, a content delivery network spun out of and then subsequently re-acquired by Imperva, Eldad Chai and Yoav Cohen knew a thing or two about application delivery mechanisms and the need for easy access to sensitive data. They also understood that security and compliance were of no lesser importance, but that the balance between quick, easy, and secure access wasn’t an easy one. For starters, organizations had trouble identifying data stores, even ones containing sensitive data. For another, even if the data could be located and identified, the way it was being stored made applying access and privacy controls in a uniform way close to impossible.

Not only did these complications fly in the face of security, but they made organizations prone to failed audits and violations of compliance. After years of leading teams for security product companies, Chai and Cohen decided to build their own company—Satori Cyber—where they now serve as co-founders and CEO and CTO, respectively.

Secure without the hassle

Speaking by video chat earlier this week, Chai explained to me and Ed that Satori’s mission is to “build a secure data access platform that enables easy, secure, and compliant access to sensitive data without slowing down the business.” He explained that the company’s platform, which they describe as a secure data access cloud, “decouples data operations and access to allow companies to move fast.”

Deployed as a fully containerized SaaS solution for cloud-native environments or on-premises for customer-hosted environments, Satori is a proxy service that sits between consumers of data and data stores. When a user—be they data scientists, DevOps teams, or engineers—queries data, both the query and the result are routed through the Satori proxy engine which automatically inspects the queries/results and builds a data flow map. The contextual engine asynchronously analyzes the user’s identity (Who?), the data requested (What?), and behavior (How?). Importantly, Satori profiles user access in the environment to learn baseline behavior and can thus identify anomalous and/or suspicious activity. Based on the answers to these questions, Satori applies granular access policies, but policies that are detached from the specific limitations of data locations.

“Decoupling data access policies from the data infrastructure was important to us,” said Chai, “because organizations and their data environments are dynamic. Companies need to be able to adopt and use different infrastructures without worrying that policies are going to break every time people move between roles or the environment changes, forcing administrators to manually update polices.”

Centralized management

Chai also noted that the need for central management of compliance was driven by experience: “When we were at Incapsula then Imperva [after the acquisition], all of the security, compliance, and privacy requirements were being funneled to the product teams.” They saw first-hand how this process slowed down compliance auditing and increased costs for the organization.

The management console allows for unified visibility and granular policy implementation, making it easy for auditors when an audit is required. Access requests are inspected each time data is queried, meaning the platform complies with zero trust security principles, which in turn strengthens data protection controls and meets or exceeds compliance mandates.

To get started, Chai says all it takes is a simple configuration change; changes to data stores, themselves, are not necessary. Through the management console, an admin selects the type of data store they want to protect and enter its hostname. Satori then generates an alternative hostname that points to the proxy service. The rest is automated. In addition, Satori integrates via API with Okta at present and will soon be expanding its identity provider partnership ecosystem for further ease of use.