2020 ends a decade, and the new year prompted me to think “Wow it’s been two decades since we started Vormetric.” And the mission we started then still applies now. Data security is still a problem.
I remember when we were pioneering our first use case to prevent “root or administrator” from seeing data they weren’t cleared to see, yet be able to do their job. Some of our first customers were in financial services and government agencies, where our technologies were used to create a “need to know” in a system that obeys a strict privilege hierarchy and where “root” owns all things. Back then we were worried about somebody inside with too much privileged access, or someone outside hacking in for access, doing something nefarious, such as stealing a company’s data, or compromising its systems and wreaking havoc.
Vormetric and the technologies and products we built over the years solved a lot of those low level security problems in the old “operating system” world. But as we enter our next frontier we continue to pioneer how to solve data security problems in a very “cloud native” world, 20 years later. And what’s to come? Is this new decade the quantum decade? What will the freedom of cloud native spawn in innovation? And as always, what will that mean for us in data security?
So, the problem of controlling access to data has not changed. However, technology and governance have.
We still use some of the same fundamental technological building blocks: storage, computers, networks, the internet. But the ways we use them, sell them, consume them, design them, and so forth, have changed. Cloud native, which includes such capabilities as microservices, that expose capabilities of hardware have advanced dramatically over the last 20 years.
The problem with technology is that it is porous and everywhere. And, unfortunately, security is still not designed into everything. So, in 2020 we’re looking at frontiers like the cloud and cloud native technologies (including microservices). And in this evolving environment, we’re still trying to enable trust, integrity, and the principle of least privilege in our systems. We’re still trying to control who (and now what) has access to sensitive information.
Governance around data security has also gone a long way in the same 20 years. In 2000, there was no PCI DSS, no HIPAA-HITECH, no NIST 800-53, no GDPR, or anything like them. There was no compelling reason for an organization to protect data. There was no court that was going to fine you. So, why we need to protect data has fundamentally changed, and it now has become a matter of doing business. It’s just part of daily life. In every vertical market and every region there is governance or stewardship around data.
But, as we enter this next decade, there are a lot of data security frontiers we have to cross. We need to better understand what data is where, who has access to it, what control we have over the data, and what responsibility we have for it. These are all confounded by the evolution of the cloud, microservices, data analytics, ML/AI, and more, which will be driven by certain increases in computing power and inexpensive storage.
It does seem likely that as we go into the next 10 to 20 years, we’ll see more commoditization of problems. It’s constantly becoming easier to solve these through software problems that humans can express to a computer. But with that comes risks, such as making sure our future robot overlords (that we are teaching to become more autonomous) are doing good things, obeying good commands, and not being compromised by adversaries or bad design over time.
Data security is here to stay
Data is valuable. Bad actors will try to steal and use it for their own purposes, so the problems of data security are not going to disappear. In the next decade, we will have to think about it differently, because both our cyber environment and our cybercriminals will evolve. And we in data security will need to be a step ahead if we are to successfully secure data and protect the welfare of our organizations, our customers, our employees and all those who can be hurt if their data falls into hands of nefarious actors.