Hello, listeners. Today we are releasing another episode from our new series entitled The Gene Simmons of Data Protection, The KISS Method, brought to you by none other than Protegrity. Protegrity is AI-powered data security for data consumers. offering fine-grained data protection solutions so you can enable your data security, compliance, sharing, and analytics. In today's episode, we're talking with Ivana Rechka.
solution architect of Protegrity, as she dives into the ever-evolving landscape of cybersecurity. As threat actors become more sophisticated, it's critical to reassess and simplify security strategies in order to stay one step ahead of the threat actor. She will explore how businesses can leverage data securely.
democratize the data and build trust by implementing security through simplicity. Well, Ivana, thank you for being on the show today. Thank you for being on Code Story. Thanks for having me. Before we jump into our topic today, around are your systems smarter than a threat actor? I'd love for my audience and myself to learn a little bit about you. So tell me about you outside of being involved in technology.
I'm a mom of a three-year-old, so in terms of hobbies, I had to adapt to pretty stationary hobbies for the time being. So in my past time, I love spending time in the garden. I enjoy tending to the plants. In fact, I've redesigned the whole garden to require very little water as we live in the south of Spain. So that's important. I also love arts and crafts.
and that's something where my toddler can participate and I love the whole process so like with photography it's not just taking pictures but it's the whole setup the printing making albums and i'm also a bookworm and i lead a local book club We actually live in a city, so when I say garden, it's a tiny patch of land in the backyard. But when we moved in, there was only a single palm tree and an artificial grass.
So there was a lot of potential for a change. And it's a cool activity because you spend time outdoors. Plus, again, my son can participate. He can reshuffle things with me. He can move things around. He can dig in the ground. So it's fun for the whole family. I appreciate that overview. Let's dive into the meat of it then. So, you know, a title for today's episode is, are your systems smarter than a threat actor?
I'm curious, what are some common signs that an organization's current cybersecurity methods might be outdated? What are the things to look for? The first red flag that would stand out to me would be certainly the lack of control and visibility over who can access what data and which system. So these are typically grouped under identity management, data security, access controls. And if you break them down to smaller issues, I'll look for things like...
Do you have different identity management systems over different platforms that you're utilizing? Or perhaps do you have database admins that have access to all data and visibility of all data? That's actually quite a classic problem. I would also look at whether you've implemented a multi-factor authentication in the company, as this is this one thing that can make a huge difference. and can protect you from so much, but still I feel a lot of companies are lagging.
That said, I feel like technology can only do so much. And I think the bigger red flag is the mindset that you have as a company. There's this problematic mindset of organizations that equal compliance with security. And it's a very dangerous mindset because you may be compliant, but that certainly doesn't mean that you are secure. Security is not a checkbox exercise. Security is a culture. So that's fantastic. I'm curious about...
As threat actors become more sophisticated, the data threats themselves, they evolve. The way they go about attacking a system evolves. How have those data threats evolved from your purview, from an expert's purview, and how can organizations stay ahead of these, you know, sort of ever-shifting cyber criminals? One thing is for sure, that is that the cyber threat landscape continues to evolve. It continues to innovate. We live in a world where ransomware is one of the more prominent attacks.
And not only that, it's over the last couple of years, it's morphed into this ransomware as a service model in which you, as a cyber criminal, you can go on the darknet and purchase ransomware. And that will come with the installation package. It will come with technical guides and how-tos and even a support line.
And that makes that kind of attack so much more scalable because you have the part of the criminal world, the cyber criminal world that develops the software, and then you have the attacker part that actually launches the attack. The other type of attack that we're seeing on the rise is a supply chain attack. And this is something that I feel in the past people maybe didn't pay enough attention to, but they are starting to consider it more seriously, both organizations and the regulators.
So a supply chain attack is a type of attack where the hacker goes after your third party software provider or business partner or any kind of supply chain vendor. And the intention is that they try to hack one system to get to many businesses. These types of attacks over the last... two years and i can give you some examples like the move it attack that was an exploit of a file transfer software that led to compromise of over 2 000 companies which is a huge number
We also had a Snowflake-centric attack just last year. And again here, Snowflake is a managed cloud database. And here, the database vendor was the one targeted, but that led to a data breach of multiple companies that stored their data in that cloud database. Similar with Finastra, that's a fintech company that processes data of major banking institutions. And this is who the attackers targeted.
Now, to answer the second part of your question, so how can organizations stay ahead of cybercriminals? That is certainly the more complex answer. I think to answer that question, the paramount thing is to understand that if you're operating in a digital world, by default or by definition, you operate in a world that is hostile. The key is to move from that reactive to proactive approach.
I think these things have to come together. There's also, of course, some very useful principles that you can adapt and you can aspire to, such as zero trust, least privilege, or security through simplicity. the evolution of this and how we can protect ourselves as organizations. Can you explain a concept to me, the concept of security through simplicity, right, which is kind of the cornerstone of what we're talking about in this series, in Protagrity's series?
The security through simplicity. Explain that concept to me. And why is it important for my audience to know? Security through simplicity is a very interesting concept. And it is important to say that this is an idea. This is a principle. It's not necessarily a blueprint, but it's something that you can look to and try to adapt as far as you can. The big idea here is that complicated environments have a wider attack surface.
So this is something I've touched on before. If you have very disjointed systems with different role-based access controls, depending whether it's the cloud or it's on-premise, or you run monolithic systems where there's just tons going on, interconnected software. It's going to be very difficult for you to understand those systems. to see what's happening, to audit them, to test them, and even to spot if there is an attack or if somebody managed to get into your environment.
So this is what Security through Simplicity tries to say. You should move towards simpler systems. And modularization is actually a big part of it. So to give you an example, because all of this is potentially abstract, but one of the examples I think people can connect to are microservices, which abide to this idea. This is the same thing that we do at Proteglity. Our solution, I think this is one of the more important things, is platform agnostic.
meaning that you can have one tool that does data security no matter where data lives, whether, again, it's on-premise database A, B, or C, in the cloud or in transit. And that's extremely powerful because that allows you to build a control framework over your data to have an essential place where you understand exactly how your data is being protected. who has access to it, to what extent, and what happened to data. So how was it used?
That ties into what you were saying earlier and what we've talked about with security through simplicity. And obviously, you know, there are people out there that are getting this right. Protagrity is doing a fantastic job with the solutions that you guys have built. And I'm sure there's some success stories of the people that you have served. What are some examples of how organizations have successfully unlocked more value from their data while managing data risk effectively?
Since I'm based in Europe, so I'll give you an example from our field. We have this very long-term customer of ours that is a financial institution. And what they've done is they've built an in-house anti-money laundering, AI-powered processing engine. And at some point, they decided to make it available to other financial institutions. And that's what they did. And the beautiful thing is that the data that they received from those other financial bodies...
is being protected before it reaches their solution, meaning that they have no access to personally identifiable data. They see the data only to an extent that they need to perform the analysis. And what I really like about this example is that our customer has essentially set a gold security standard as a supplier, because in this scenario, they have become that third party for those other financial institutions. Okay, so that's a fantastic example.
So how can companies ensure that the security measures they implement do not hinder data usage? So they could be blocking data, which is gold these days. It's the high currency. So how do they make sure it doesn't hinder usage there, but also unlocks full potential of their data in the context of all of our modern business? This is a very good question. And I think this is a common conundrum in that.
Security is often perceived as a blocker. Companies struggle to move their data to the cloud because of security. They struggle to adopt the gen AI technologies. They struggle to monetize their data. They even struggle to get... access the data they already own because of complex security protocols. And so I think the more successful companies that overcome this challenge had to shift their mindset from perceiving security as a blocker to perceiving it as an enabler.
because that's what it should be security should enable your business to operate digitally to grow to scale to modernize This is one of our core beliefs at Protagrity. This is why we do what we do. We implement data security. precisely to enable the business to operate. The number one thing we would do is that we would protect the data across the entire environment.
When I say protect, it's that we take the original data and we replace it with something completely meaningless like tokens or ciphertext. What this results in is extremely powerful because if you get an attacker get into your environment, all they're going to see is nonsense. They won't be able to make any sense out of your data because it's no longer the original data. And so you shrink your attack surface. You minimize your attack surface.
And so you reduce your attack surface to absolute minimum. And then you only unprotect data or you reverse it to its original form when it's being used. And that's done through a combination of automation and baked in role-based access controls. And that completes the story because what you get is that centralized control pane where you can decide how different roles will get access to what kind of data. And so you have the full visibility and transparency over what's happening.
I understand what you're saying there and reducing the attack area by encrypting or hiding the data, not hiding it from site, but hiding it from usefulness, essentially. from an attacker. Why aren't businesses data sharing and capitalizing on data monetization today? You know, and from your prior answer, I feel like I could cherry pick it. a few things, but is it a data security concern? And if so, how can they overcome that? I think security is a massive concern.
As well as I think that as an industry, we've been a bit burned by attempts, by public attempts of data sharing that went completely wrong. You may remember this incident where New York City cabs and limousine commission released a data set of it was 170 million trips. And that data was allegedly anonymized, but people on the internet were able to reverse engineer it. And it had all sorts of awful consequences. People were able to identify the drivers of licensed slaves.
It even spilled over to passenger security as some of the patterns of the pickup points and the drop-off points. Some of those patterns were also visible and that, in fact, even impacted some celebrities. And so I think security is one part of it. The other issue or the other challenge is that data sharing initiatives are often very DIY. These processes struggle with the fact they're very manual and it's hard to repeat them.
In fact, this is an area that we are heavily investing in at Protagrity. And what we're working on with our clients is... adopting and productizing best-in-class anonymization techniques. repeatable and secure data sharing pipelines. When you share data, you ensure that there is no way that an identity of an individual can be reversed. At the same time, the impact on data usability, so its analytical value, is absolutely minimal.
much sense to not be doing it. Businesses should be data sharing, should be capitalizing on their data, but doing so where they're reducing their attack area to where the data is useless to attackers. Data threats have evolved. You pointed that out. You pointed out that cyber criminals
And bad actors are evolving in how they attack systems. And the best way is just to make the thing that they're after not useful to them. So I really appreciate you being on the show explaining all this, Ivana. Thank you for enlightening the audience on how you can make your system. smarter than the threat actor. Thank you so much for having me. It's clear from Eve's points that bad actors are becoming more and more sophisticated with attacks and you
and your organization's best bet is to keep your security strategy straightforward and simple. Thank you for listening to today's episode. If you'd like to learn more about Protegrity, go to protegrity.com. That's P-R-O-T-E-R. And thanks again for listening.