Data Protection: Data Has No Jurisdiction episode artwork

EPISODE · Feb 17, 2023

Data Protection: Data Has No Jurisdiction

from Info Risk Today Podcast · host InfoRiskToday.com

In this podcast, Rodman Ramezanian, global cloud threat lead at Skyhigh Security, discusses why the risk of data breaches is so high, how security teams can protect data wherever it resides, and why security leaders should embrace a new mindset for data protection.

Episode metadata supplied by the publisher feed · Published Feb 17, 2023

In this podcast, Rodman Ramezanian, global cloud threat lead at Skyhigh Security, discusses why the risk of data breaches is so high, how security teams can protect data wherever it resides, and why security leaders should embrace a new mindset for data protection.

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

Data Protection: Data Has No Jurisdiction

0:00 0:00
of MATCHES

TRANSCRIPT · AUTO-GENERATED

Hi, this is Cal Harrison, editorial director at Information Security Media Group, talking about data protection, particularly that data protection knows no jurisdictions these days. Joining us today is someone constantly watching the threat landscape, Rodbin, Ramazanian, Global Cloud Threat Lead at Sky High Security, and author of the Sky High Security Intelligence Digest. Rodbin, it's a pleasure to speak with you today. Hi, Cal.

Thank you so much for having me. It's great to be here. Excellent. So let's dive in.

2023 is now well underway. Data breaches show no signs of slowing. What's so challenging about protecting data in this day and age? Well, Cal, I mean, the fact is that data, as you know, has always been the lifeblood of any organization.

And look, there's no denying how important data continues to be in the context of keeping a business operational and pro-productive and functional. And so as you know, data has always been in the crosshairs for the bad guys, for the threat actors who have always been hunting down data for their own personal or financial gain. And this has been the case since the dawn of computers. And look, the fact is that thanks to the pandemic over the past few years, all these major digital transformation projects have basically accelerated all the enterprise migrations to cloud platforms and that whole world of the cloud.

You've got a growing number of organizations who are adopting multiple clouds to complement their strategies. So basically, what you've got is this multi-faceted approach used by businesses all over the world to use and share and store data across their users' devices, corporate web servers, applications, platform, storage services, you know, you get the picture. So basically, across all these contexts, there are just so many ways to create, edit, distribute, access and save data. Not to mention, you know, data may be classified differently or may need to be handled a certain way for regulatory reasons, perhaps catering for devices that are used to access that data from certain places that might not be as secure as you'd like them to be and so on.

So I guess the challenge is, you know, imagine how difficult the task of protecting that data across all these different scenarios becomes, especially when, you know, security teams don't have a standardized platform or a methodology to get visibility, governance and control of their data wherever it goes. Well, obviously, people realize that there's a problem. Why do you think organizations have struggled with this issue? Yeah, it's a fair point.

I mean, as I mentioned earlier, I think because data plays such a huge role in keeping an organization alive, you know, that data, although it isn't exactly tethered and bound nowadays, you know, typically flows to wherever it needs to go for activity to keep on pumping. So you could say that data really has no jurisdiction. It'll go and be shared to wherever it really needs to go to fuel business operations. And, you know, like thinking back, traditionally, when data was only ever kept and accessed within the company's walls, it wasn't so onerous to stay on top of where data existed in an organization, you know, even knowing what it even consisted of, how it was classified, who was accessing it, what devices and so on.

But now you've essentially got data flying around all over the place being accessed, as I said, anytime, anywhere from any device, any user, essentially. And that's the whole premise of cloud computing, right? You know, you've got the public cloud, as you know, it isn't within the company walls. It requires a very different approach.

We can't use the same tools and methodologies of yesteryear to, you know, tackle the problems of today. And of course, as they say, security should aim to be a business enabler, not an inhibitor. And by that token, you know, security teams shouldn't be trying to limit the flow of data. You know, they absolutely should be enabling data to be used to its fullest potential and, you know, go where it needs to go to help the business thrive.

But again, as we mentioned earlier, in the absence of having a unified platform for, you know, security teams to have end-to-end visibility of whether data is going, who's accessing their cloud apps and services that may have corporate data, controlling safe use and sharing that data in so many other variables, it's easy to see why organizations continue to struggle with these issues. You bring up a really fascinating point that data today basically knows no boundaries. So in this kind of environment, who is responsible for that data? It's a common question, Cal.

I mean, look, in the cloud world, it's important for everyone to remember that cloud service providers provide some security protection. Of course, you know, the shared responsibility model, you know, basically outlines where the responsibility is live. But that doesn't actually mean that the cloud data is fully secure. You know, cloud service providers correctly point out that the responsibility isn't theirs alone, hence the concept of the cloud security shared responsibility model.

You know, if you take Microsoft, for example, they publish their model for their cloud computing resource, which is Azure, Amazon is a similar approach for Amazon Web Services. Now, both of these models point out that a secure infrastructure actually does rely on the customer playing their part to make the system truly secure and compliant. So to question, ultimately, the customer's own data that goes into these cloud environments is still their own responsibility. And as a result of that, you know, the user, device, data controls, they need to work together with cloud computing, especially as that data moves to the clouds, you know, in basically in space with clouds between clouds going from on premises to hybrid environments.

In all these different scenarios, the customer needs to keep in mind that the data is still ultimately their own responsibility. Yeah, that makes subtle sense. And you're in kind of a unique position that it's kind of a security where you see the threat landscape changing every day. Do you see this problem worsening as time goes on?

Look, it's definitely not getting easier, that's for sure. Why will, you know, there's no shortage of new devices coming online that enable that access and productivity that we spoke about, things like mobile devices, tablets, IoT devices, you name it. And I think the statistic goes something like, you know, the average user owns about four or five devices nowadays or something like that. And you've got, you know, also more and more cloud platforms and services that offer, you know, really great leading edge features for data usage and sharing among peers and business partners, for example.

And so the more we see cloud services and infrastructure expanding, and you know, as adoption keeps increasing at huge scales, as we mentioned, security teams need to keep up with the flow of data to make sure that it's secure, you know, wherever it goes at any point in time without jurisdiction. You know, so security teams can't afford to get complacent with something like data protection. And you know, looking back over the past year, we had more than one example in 2022 of high profile data breaches across the globe. We had some really big names, really big tech firms who unfortunately felt victim and had their data breached.

And so ultimately, when you consider that data, you know, has no jurisdiction or bounds, you can either be the security leader who holds back the business by restricting data accessibility and trying to put, you know, tethers on how data can react and where data needs to go, or you could be the leader who securely enables the entire business to thrive without compromise and without sacrificing the security of the data. You're listening to an ISNG podcast brought to you by Scott High Security, and now a quick word from our sponsor. Sky High Security is pleased to release the 2023 cloud adoption and risk report. Since the global pandemic, more and more organizations are relying on the cloud to manage the remote and hybrid workforces.

Whether your organization has a 100% remote, hybrid or on-site work environment, sharing data in the cloud will continue to grow exponentially. Cloud security needs to evolve at a pace to handle the complexity of monitoring and controlling data flow and persistent challenges like shadow IT. The new reality from a security perspective is that not only do organizations need to know where data is going in order to protect it, but also where it's going in order to keep it from being exfiltrated. Download the latest report and findings and discover the right approach to securing data in the cloud.

A top-down approach that focuses on the data itself rather than the traditional bottom-up process of starting from where it is stored. Check out SkyHighSecurity.com today. So how can organizations turn the tide so to speak and make positive progress toward protecting data? It's a really important point, Kal.

Organizations, as you mentioned, cannot afford to view data protection as a sort of one-off or a deferrable expense, especially when you take into account the abundance of opportunities for data leakage and data theft nowadays. The first step to solve any problem, of course, is knowing what you're dealing with. And before you can protect anything, you need to know who's storing what and where. When you bring these things together, the amount of data that's kept by most enterprises, whether it was migrated from on-premises or originally stored in the cloud, it's vast.

And so for security teams to get a handle and what they're up against, it's obviously critical. But of course, knowing that data can flow practically anywhere, as we spoke about earlier, security teams cut with all their eggs in one basket, for example, just cloud protection. Of course, there's a wealth of data sitting on corporate laptops and devices, it's flowing through with their internet gateways, and so many other realms beyond just cloud buckets and blobs and what other storage services there are. So I guess a quick win for a lot of security teams out there is setting guard rails that basically predicate safe data usage, anything from plugging in removable media devices and taking print screens to posting data on a public forum through a web vector or the classic old example of accidentally leaking out something to freepdfconverter.com for a business report that's coming up or emailing something to their personal account to work on it later from home, but being unaware that that may actually constitute data loss.

Especially when you've got things like Office 365 nowadays, you've got WebEx, Zoom, Salesforce, and so many others, just think about how many potential leakage points there are for data to get out in all these weird and wondrous ways. So I think equally important is having a unified standardized approach that gives these teams these security practitioners end to end visibility. Everything from the point of data creation to where it's been copied and shared to, whether it's been accessed from an under location and suspicious time, perhaps a device you've never seen before, whether it's a storage device that's configured a certain way or perhaps someone's taking a photo of some sensitive data and uploaded a screenshot, being able to use things like optical character recognition to spot a leak. So there are quite a lot of features that we can get into the weeds with, but I think fundamentally security teams need to set some guardrails on what constitutes safe usage and what doesn't.

Those were all some excellent points and as you alluded to earlier, 2022 was a pretty rough year just in terms of data protection. There were a number of high profile organizations that felt the brunt of some really large data breaches. Looking to the future, what do organizations need to do to remain safe and keep their names out of the news headlines for the wrong reasons? It's a very common question as well.

Of course, for thinking, in my opinion, security features within public cloud platforms, your sort of public services like AWS and Azure and so on, they will get better as time goes on and they will get stronger and far more feature-rich. But there are, as we mentioned earlier, a number of fundamental sort of non-negotiables that security teams and the organizations just cannot neglect. And again, that's identifying and classifying their data, knowing where and how their data is being stored, shared, used, and so on, and determining how it needs to be protected across all these vectors at all times. Because ultimately, attackers know how valuable your data is in their own hands.

They have ample opportunities to try their skills to get access to it. They've got things like advanced AI chatbots nowadays, like chat GPT. They're actively assisting threat actors in their efforts to attack systems. Of course, they have some good uses too, but they are helping attackers to craft phishing emails and formulate exploit attacks.

And so ultimately, the attack surface is definitely intensifying. We're not just up against highly skilled attackers anymore. You've got Gartner predicting by the end of 2024, 75% of the world population will actually have its personal data covered under modern privacy regulations. So on the privacy and irregularity front, organizations have to continue their efforts to remain compliant and uphold their own protections.

But I think to recap, security leaders need to get the basics right. And they should be looking to adopt a converged platform that will not only protect their data without compromise and, again, across any jurisdiction, but the ability to do that everywhere it goes, whether it's on devices, whether it's going through their web infrastructure, whether it's on their cloud platforms. Well said. So tell me, what are you hearing from your customers about data protection challenges?

And what's the advice that you're giving to them? Yeah, it's fascinating, Cal. I mean, what was old is essentially new again. You know, back in the day, it was all about social engineering and tricking people into doing something that they obviously weren't aware of.

Then the threat landscape moved into the more sophisticated things like zero-day threats and really leading edge types of viruses. But, you know, it's interesting to see that social engineering has been rearing its ugly head again. And so many organizations have really been struggling with it, you know, especially a time when, you know, businesses have modernized their digital workspaces, they're using the web and cloud from all sorts of locations, as we said, different devices, different times, you know, there's so many variables that are presented now. And so, you know, sky high security, who I work for, we work to help protect these organizations with things like cloud native security capabilities that, you know, they're both data aware, you know, they're aware of data wherever it may go and how to be able to mitigate those threats.

But it's also super simple to use. You know, it's something we've got lots of praise from the likes of Gartner and Forrester for being leaders in the security service edge space. And it's something our platform goes beyond just data access to extended to data usage, which allows, you know, businesses to collaborate for any device without sacrificing security. And I guess the unique differentiator in the case of sky high security is that our entire portfolio in our platform is underpinned and converged with data protection across devices, web and cloud vectors.

So again, when we talk about giving security teams exactly what they need to catch these threats, we're giving them the end-to-end visibility and the entire story so they can see where data may have flowed to across any vector without prejudice on, you know, only cloud or only devices that locally present and so on. So I think that's really the resonating thing from customers is that just doing it tough with social engineering and this explosion of cloud that's allowed them to do so much more than what they could. But, you know, also not having to hold back their business operations without sacrificing security. Awesome.

Robin, thank you so much for, you know, getting into a deep dive on a topic that's really top of mind for a lot of people. It was really insightful. I've enjoyed talking with you about this. Likewise, thanks so much, Cal.

Appreciate it. You're welcome. We've been speaking with Robin and Ramazanian at Sky High Security for Information Security Media Group. I'm Cal Harrison.

Thank you for giving us your time and attention today.

That Hoarder: Overcome Compulsive Hoarding That Hoarder Hoarding disorder is stigmatised and people who hoard feel vast amounts of shame. This podcast began life as an audio diary, an anonymous outlet for somebody with this weird condition. That Hoarder speaks about her experiences living with compulsive hoarding, she interviews therapists, academics, researchers, children of hoarders, professional organisers and influencers, and she shares insight and tips for others with the problem. Listened to by people who hoard as well as those who love them and those who work with them, Overcome Compulsive Hoarding with That Hoarder aims to shatter the stigma, share the truth and speak openly and honestly to improve lives. The Small Business Startup School – Business Notes | Financial Literacy | Retail Psychology – For Professionals & Entrepreneurs The Small Business Startup School Inc. Starting or buying a small business? While personal circumstances may vary, business patterns remain timeless. On The Small Business Startup School, we explore strategies, insights, and practical solutions to help entrepreneurs confidently navigate their journey.Hosted by Ola Williams—a retail entrepreneur, fintech founder, and financial coach with over two decades of experience—this podcast marries financial awareness and retail psychology with optimism to deliver actionable takeaways.Join us to learn, grow, and connect as we uncover the keys to business success.Let’s continue to learn together and be encouraged to keep on connecting! DIOSA. Carolina Sanper This podcast is a sacred space created by Carolina Sanper where you connect with your inner wisdom and embody your magnetic feminine power.It is the realization that the mystical realm is where you plant the seeds of your desired reality.It is a portal to your true essence: awareness, presence, and receiving with ease. Welcome home, DIOSA. 🖤 XXX Tech by SOVRYN Dr. Brian Sovryn The crossroads between technology, sensuality, and metaphysics - and the longest running anarchist podcast in the world! Brought to you by Dr. Brian Sovryn.

Frequently Asked Questions

How long is this episode of Info Risk Today Podcast?

Episode duration information is not available.

When was this Info Risk Today Podcast episode published?

This episode was published on February 17, 2023.

What is this episode about?

In this podcast, Rodman Ramezanian, global cloud threat lead at Skyhigh Security, discusses why the risk of data breaches is so high, how security teams can protect data wherever it resides, and why security leaders should embrace a new mindset for...

Can I download this Info Risk Today Podcast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!