OneTrust is the #1 fastest growing company on the Inc. 500, and for good reason. Organizations big and small, including about half of the Fortune 500, rely on the OneTrust platform to easily operationalize privacy, security, and data governance. This is especially critical as data (and data privacy) solidifies itself as the next big trend.

While it’s easier than ever to get value out of data, managing data has never been more complicated. Organizations have more data than ever, with more users needing access to data than ever before. On top of this, data is riskier than ever, forcing teams responsible for Privacy, Legal, Security, Risk, and Compliance to manage growing privacy regulations and attack vectors at the same time.

OneTrust and ALTR have approached this problem from separate ends: OneTrust by simplifying privacy and governance policy and ALTR by simplifying the implementation and enforcement of those policies. While separate approaches, our vision of enabling secure, governed access to data is a shared one. By combining our technologies, we’re able to meet in the middle to provide a holistic solution for data governance and data security where data teams get access to the data they need, while governance, privacy, and legal teams feel confident in their customers' and employees' privacy, and security and risk teams ensure data remains protected. This is why we’re beyond excited to announce our partnership and integration.

Our partnership with OneTrust allows thousands of customers to more tightly integrate their governance, data, and security teams. We believe this will help our shared customers dramatically simplify data governance programs, using automation to close the gap between governance policy creation and security enforcement.

With our new integration, OneTrust scans data sources to catalog your sensitive data and create policy to govern access based on its sensitivity. OneTrust then uses this policy to automatically configure access controls within ALTR, and ALTR enforces your governance policy on every request for sensitive data.

This new partnership brings together OneTrust’s centralized platform for privacy, security, and data governance with ALTR’s advanced, real-time enforcement. With this, you can automate access to sensitive data and close the gap between policy creation and enforcement, at scale, in a really simple way.

OneTrust + ALTR. Simplify your data governance program through automation.

Check out the OneTrust and ALTR webinar, as we take a deeper dive into the benefits of this partnership along with a live demonstration of our new integration. Click here to watch the webinar on demand!

As a society, we’ve been forced seemingly overnight into a new work environment with offices closing (and many companies permanently downsizing office space) and remote work seeming more and more like it's here to stay. The new normal is sure to be more digital, and enterprises are moving quickly to adapt to these changes by enabling remote work and further accelerating the migration to the cloud. Unfortunately, these rapid changes have also opened up new avenues for attackers to exploit. If companies are to remain secure in the new normal, they’ll need to adapt their security posture as well.

Enterprises already invest heavily in security (worldwide security spending is already over $100 billion annually, and expected to grow to $170 billion by 2022), but still lack basic visibility into and control over the sensitive data they collect and consume. This lack of visibility prevents companies from understanding how their organization uses data and also from taking advantage of these data consumption patterns, a key requirement as we evolve into the age of data. Meanwhile, a lack of control around data consumption means while companies may have implemented controls around who is able to access data and what data they’re allowed to access, they’ve not closed a critical gap: how much data a credentialed request is allowed to consume.

These two factors — an inability to understand enterprise data consumption and a lack of control around how much data is allowed to be consumed — combined with a quickly evolving regulatory environment, create a perfect storm for today’s enterprises: credentialed requests for data are often able to consume without limits, opening up a level of risk that puts entire companies at stake. With the rapid changes demanded by today’s new normal, the urgency to close this gap has only grown in importance.

What are the impacts of unchecked data consumption?

Companies that don’t place limits on the consumption of sensitive data are already in very dangerous territory as they remain vulnerable to both insider and external threats. Verizon’s latest Data Breach Investigations Report informs us that inside actors are involved in 30% of data breaches, and over 80% of hacking-related breaches (hacking by external parties is the most common type of threat action) involve the use of brute-force attacks or stolen credentials. The common denominator here is clear: having credentials is the best way to obtain what threat actors are looking for — sensitive data.

In addition to the financial impacts of a breach (CCPA fines can be up to $7,500 per record, for example), the impacts to brand reputation and operations pile up quickly, with strategic efforts put on hold while team members turn into firefighters and customers lose trust in the company.

To mitigate these risks, enterprises need a solution that provides observability and control over data consumption. These controls provide confidence in the security of the organization’s data no matter where it lives, enabling companies to properly and rapidly take advantage of the migration to the cloud. In fact, it’s only by having these capabilities that organizations can confidently and securely enter the new normal.

How can you gain both visibility and control?

Ideally, it would be great if you could treat your data the same way banks treat money in an ATM.  Here’s the process as we see it:

• Identity: In order to access your funds, you need to present a card to show who you are.
• Multi-factor authentication: You must also enter a PIN code to prove your identity.
• Privilege: Once you’re authenticated, you only have access to your funds, not anyone else’s.
• Auditing: When you deposit or withdraw funds, you’re monitored with a camera and your actions are recorded.

This is where most companies are today, and where security tools offer their services. You’re able to solve for identity, authentication, and privilege, and most tools can provide some level of auditing for you as well. However, there is a major piece missing from the enterprise’s arsenal that banks solved a long time ago: controlling how much someone is able to consume — money in the bank’s case, data in ours.

• Thresholds: Limits on how much you can consume per transaction or over time.

For security and logical reasons, banks place limits on the amount of money you’re allowed to withdraw from an ATM. These limits are enforced on individual trips to the ATM, as well as contextually throughout the day. Limits like this protect the end user from fraudulent activity, protect the bank from customers withdrawing more money than they have (either accidentally or maliciously), and ultimately build trust in the bank’s ability to securely store its customers’ money.

This is exactly what enterprises need to be doing with sensitive data. You need the ability to contextually understand consumption patterns across all sensitive data (whether PII, PHI, or PCI data), limit how much data a request is allowed to consume, and proactively prevent requests from consuming more data than they are allowed to.

How ALTR helps companies enter the new normal

With ALTR, organizations can set governance policy to limit the consumption of sensitive data across the enterprise. Each time sensitive data is requested, ALTR records both the request itself and metadata around the request (which data was requested, how much, when, from where, etc.), and analyzes the request against ALTR’s risk engine before allowing or preventing the return of sensitive data. Data consumption and policy-related information can be sent to enterprise SIEMs and external security clouds and visualization tools (like Snowflake and Domo) for further analysis so the company can understand and learn from its data consumption behavior.

By implementing data consumption governance with ALTR, enterprises can understand how their organization consumes sensitive data, protects that data, protects their customers, keeps up with a rapidly changing regulatory environment, builds trust, and solidifies their reputation while securely and confidently entering the new normal.

Ready to learn more about improving visibility into and control over your organization's data consumption? Check out this brief overview or reach out to get the conversation started. We’d love to hear from you!

‍

In part one of this series, we talked about how 2020’s massive increase in the use of cloud data platforms lead to organizations rushing to get to the fastest “time to data and insights”. This meant they were left with no option but to consider data governance and security last, which is massively problematic not only for regulatory reasons but for financial reasons as well. So part one was more about the problem; this article will address the solution.

Step one: data discovery and classification

A multi-cloud data governance and security architecture starts with the data generated and where that data is stored. Data sources can span between OLTP databases to large data sets used for data science. These databases exist across multiple cloud data platforms (Snowflake, AWS Redshift, Google BigQuery) as "fit for purpose" databases for analytics, operations, or data science. Data observability, governance, and security is applied from the ingestion point and ends in the exfiltration of data by various data consumer types such as business intelligence solutions.

The discovery and classification of data across multiple cloud data platforms and data sources is paramount. Once data is discovered and classified, you may introduce automation to apply governance and security policies based on security and compliance requirements specific to the business. Sensitive information is stored in a tokenized format and replaced with keyless and map-less reference tokens.

Step two: observe and control data access in real-time

Data consumption and analytics components of the architecture may observe data access in real time and provide intelligence for stopping both credentialed breaches and erroneous access to data from applications and services used by data consumers such as data scientists, analysts, and developers. Any anomalous behavior should be blocked, slowed down, or reported to the security operations center and initiate a workflow in a company's security orchestration, automation, and response (SOAR) services.

The architecture's data governance and security components must support different business goals such as data monetization, revenue generation, operational reporting, security, and compliance while promoting data access performance and "time to data." In other words, the best multi-cloud data governance and security architecture are invisible but very active when it needs to be.  

2021 is the year

As we proceed into 2021, there is no sign of slowing down data generation, storage, and consumption. Think about IoT data generation, storage, and protection. This shift into the edge is going to be massive! An Andreessen  Horowitz article calls for the “The End of Cloud Computing” , and with good reason. Peter Levine (Andreessen Horowitz) rightly says, “Data Drives the Change, Real World, Real Time”. With this massive change in structured, unstructured, and edge device data, Business leaders should positively incentivize organizations to establish multi-cloud data governance and security architectures now. 2021 is the year.

A properly designed and implemented multi-cloud data governance and security architecture will significantly reduce costs and introduce automation around data discovery, classification, and security. With this architecture, you will know how much data risk exists. Once you know the risks, you can Implement governance and security policy once and apply it everywhere.  Marrying this with automation into your security operations center (SOC, SOAR) will be very important to ensure you can respond to real data security threats in near real-time.

So that’s why we’re here! We’d love to show you firsthand how ALTR’s Data Security as a Service can help your organization reduce costs and introduce automation around data discovery, classification, and security.

‍Try ALTR for free today.

2020 saw an increase in cloud data platforms used for operation, analytic, and data science workloads at neck-breaking speed. In a rush to get to the fastest "time to data and insights," organizations are left with no option but to think about data governance and security last. The first phase of migration to the cloud involved applications and infrastructure. Now organizations are moving their data to the cloud as well. As organizations shift into high gear with data migration to the cloud, it's time to adopt a cloud data governance and security architecture to support this massive exodus to the major cloud data platforms (Snowflake, AWS, BigQuery, Azure) at scale.

Who’s accessing your data?

DalleMule & DavenPort, in their article What's your data strategy? , say that more than 70% of employees have access to data they should not, and 80% of analysts' time is spent simply discovering and preparing data. We see this firsthand when we work with small and large organizations alike, and this is a widespread pattern. Answering the question of who has access to what data for one cloud data platform is hard enough; imagine answering this question for a multi-cloud data platform environment.

Let's say you're using Snowflake and AWS Redshift. Your critical analytic and data science workloads are spread across both. How do we solve the challenge of answering who has access to what data consistently and across those two cloud data platforms? For companies that are heavily regulated, you must answer these questions while using a specific regulatory lens such as GDPR, HIPAA, CCPA, or PCI. These regulations further complicate things.

The tension between security and innovation

The struggle for balance between complying with regulations and promoting the fastest time to data means the experience for developers, analysts, and data scientists must be pleasurable and seamless. Data governance and security historically has introduced bumps on the road to velocity. DalleMule & DavenPort’s article presents a robust data strategy framework; they look at a data strategy as a "defensive" versus an "offensive" one. The defensive strategy focuses on regulatory compliance, governance, and security controls whereas the offensive approach focuses on business and revenue generation. The key, they say, is striking a balance; and we agree.

A shared data governance and security architecture

From a technical strategy perspective, in order to implement either a defensive or offensive strategy and achieve a continually shifting balance across multiple cloud data platforms, you need a shared data governance and security architecture. This architecture must transparently observe, detect, protect, and secure all sensitive data while increasing performance over time.

Snowflake famously separated compute and storage. Data governance, security, and data should follow suit. Making the shift from embedded role-based and identity security and access controls in the cloud data platform to an external intelligent multi-cloud data governance and security architecture allows for the optimum flexibility and ability to apply consistent governance and security policies across various data sources and elements. Organizations will define data governance and security policy once and have it instantly applied in all distributed cloud data platforms.

Avoiding governance, security, and access policy lock with one cloud data platform provider will be critically important to adopt a multi-cloud strategy. Think of it this way: suppose you implement data access and security controls for data in Redshift. In that case, you can't expect the same policy to automatically be implemented consistently in your Azure, Snowflake, or Google BigQuery data workloads. This type of automation would require an open and flexible multi-cloud data governance and security architecture. It's essential to avoid the unnecessary complexity and cost of having data governance and security silos across cloud data platform providers. Unnecessary complexity doesn't make technical or business sense. Not having multi-cloud data governance and security architecture will negatively impact data observability, governance, and security costs significantly. The more data you migrate to the cloud, the more your cost increases. Worldwide data is expected to increase by 61% to 175 zettabytes, most of which will be residing in cloud infrastructures. Think about what this will do to governance and security costs across multiple cloud data platform environments.

You can’t protect what you can’t see

This massive movement of data to the cloud will require an incredibly robust data discovery and classification capability. This capability will answer where the data is and what type of data it is. AI and ML will be critical to making sense of the discovery and classification meta-data across these data workloads. You can't protect what you can't see. The discovery of vulnerable assets like data has been the age-old challenge with implementing security controls over large enterprises. With observability, discovery, and governance, you will now be inundated with a tremendous amount of data about people's access and security controls in place to mitigate potential data security risks.

Check out part two of this series to learn how a properly designed and implemented multi-cloud data governance and security architecture can reduce costs and introduce automation around data discovery, classification, and security.

An earlier post talked about why cloud data warehouses (CDWs) match so well with data security as a service (DSaaS). This post goes into more detail about exactly how DSaaS improves data access governance for CDWs.

The Cloud Abstracts Much of the IT Stack, but Not Data Access

The greatest power of the cloud is that it eliminates the need to operate many parts of a traditional IT infrastructure, from servers to networking equipment. This of course brings a lot of benefits with it, including lower capital expenditure on hardware and software, much more efficient operations, and significant savings of time and money. CDWs in particular also enable better data visualizations and advanced analytics so your organization can make better business decisions. Those are big wins.

When it comes to data access, however, there are some vital functions that the cloud cannot get rid of. As discussed last time, the first function is user authentication, which can be handled for CDWs in a straightforward way by using a single sign-on (SSO) solution. This step answers a fundamental question — Are you who you say you are? — before allowing a user to access the CDW at all.

What happens once a user is inside the CDW is covered by the more complex functions of authorization and tracking. That’s where DSaaS comes in.

Authorization: What Is Each User Allowed to Do?

DSaaS operates via a special database driver that enables granular control and transparency for data access without creating any meaningful impact on the performance of the cloud data warehouse. That means you can get the most out of the scalability, speed, and ease of access provided by CDWs such as Snowflake or Amazon Redshift, while also achieving better privacy and compliance.

The key is that DSaaS works all the way down to the level of the individual query. When a user attempts a specific data request, the system is able to see it and place controls on it using a “zero trust” approach. This means that every authorization is treated independently, not only when a user begins a session of using the CDW, but also at each step along the way.

Without slowing down anyone’s work, this allows the system to answer a second fundamental question — Should this user be permitted to execute this query right now? — each time the user attempts a data transaction.

To use an everyday analogy, the process works something like an ATM machine. When you use an ATM, it’s not enough that you’re a bank customer with the correct PIN; that system will enforce very specific limitations on whatever you try to do. Before you can make a withdrawal or transfer, it checks that the money is available. Before you can attempt to clean out your account all at once, it enforces a single-transaction limit or daily limit to prevent you from doing so. And if you finish your transaction, walk away, and then walk back when you remember something else you meant to do, it makes you go through authentication again.

Although the technology operates differently, DSaaS does something very similar for a CDW, this time treating data like money. It enforces rules around questions such as these:

• Should this user be able access to this data, down to the specific column?
• What actions may this user perform on that data? (View it? Change it? Download it?)
• How much of the data should this user be able to access at once?
  

DSaaS makes it easy for administrators, compliance officers, and security personnel to establish rulesets that govern the flow of data, without requiring an organization’s developers to code and test the logic from the ground up.

By enforcing these rulesets in real time, DSaaS enables businesses to put up guardrails that prevent users from accessing specific types or amounts of data that they shouldn’t. The upshot is that your organization is able to enjoy all of the value that CDWs create through efficient data access, while mitigating the attendant security and compliance risks.

Tracking: Is Each User’s Activity Accurately Logged?

Beyond regulating data access in real time, DSaaS also creates an immutable record of transactions at the query level. This provides a level of context that goes beyond visibility (Can we see what is happening?) to true data observability (Are we able to draw conclusions from what is happening?). That level of insight is a boon for compliance and security officers.

Working at the application layer, DSaaS can see both sides of a data transaction, providing a rich history of the queries a user made, which data they touched, and which data they received back. Such detail shines a bright light into previously dark corners of data access to uncover previously hidden patterns.

Because the records of these data transactions, along with administrative actions, are kept in a tamper-resistant archive, any data that is changed will be detected and can be changed back if necessary. And because the archive itself records exactly which users and records were affected, it aids in creating an audit trail for complying with recent tough privacy regulations such as CCPA.

Learn More About Protecting Sensitive Data in Your Cloud Data Warehouse

Using a CDW increases the value of your data to your organization; DSaaS reduces the attendant risks. Using both together enables your organization to improve privacy and compliance while taking full advantage of the portability, scalability, and speed of the cloud.

In a recent Database Trends and Applications webinar, “Protecting Sensitive Data in Your Cloud Data Warehouse with Query-Level Governance,” I had a chance too really dig into why you need full transparency and control over data access, and how to optimize privacy and compliance for today's most popular cloud data platforms.

Whether you already run a CDW or are considering it, check out this webinar onDemand and find out how DSaaS can help you make the most of your investment.

Identity and Access to Data

Identity and access management (IAM) is the set of technology and processes that grant access to the right company assets, to the right people, at the right time, and for the right reason. In my twenty years of IAM experience, I have seen the full evolution from web single sign on in the early 2000s, to identity provisioning in 2004, identity governance and administration in 2005, and finally identity and access intelligence and automation driven by “identity fabrics” in 2019.  

It is time for IAM concepts to be applied to the data cloud. At ALTR, we see a large trend of increased complexity, maintenance, and operating costs for ensuring people have access to the right data, for the right reasons, and at the right time. Applying IAM concepts to data can simplify this process and reduce your administrative burden.

Treat Data Access Controls Like IAM

Just as IAM platforms centrally manage identities and their access to applications, so should a central data governance and security system manage access to sensitive data. Sounds neat, right? Well, it's a bit more complicated than that. Just as Identity is moving towards a multi-cloud model, so is data. This means that data is distributed across multiple data clouds like Snowflake, AWS (Amazon Web Services) Redshift, and Google BiqQuery. This shift into a multi-data cloud architecture requires a platform that has the following characteristics:  

• Simple – Simple to use by line of business line users. You do not shouldn’t necessarily need to be an experienced cybersecurity professional or data security engineer to set up, configure, and get value from the platform.
• Distributed (Snowflake, AWS, Google) – The platform must support ease of connectivity and integration to the major data cloud platforms.
• Controlled from a single platform and pane of glass – Centralized management but distributed control is key to enforce common governance policies across data cloud platforms.
• Intelligence is built in – Intelligence-driven data security should deliver insights which drive policy and automation.  

• Performance as king – Maintaining an adequate level of data access performance while observing data access and protecting against a variety of threats such as a credentialed breach.
• Delivered as a service – The centralized but distributed data governance and security system must be delivered with zero code and zero on-premises footprint.  

It is All About the Roles, Tags, and Grants

A cloud native data governance and security system uses a cloud service provider’s (AWS, GCP, Azure) IAM roles to grant privileges on data warehouses, schemas, and table rows and columns via policy tags. These grants based on IAM roles allow for proper user or application operations on sensitive data.  

A data security strategy that combines a multi-level (warehouse, schema, table, rows, columns) approach in an easy to implement, scale, and manage strategy is the “north star” of any sensitive data protection program. Answering key questions on establishing this multi-level model and augmenting it with secure views and functions are key to ensuring a solid strategy against massive data exposure and exfiltration.

Identity Is No Good Without Context

Having a strategy to map your Identity model to your sensitive data is great, but now you need to think about context. This approach is the “dynamic” nature of responding to potential threats. To gain context, you need a broader view of identity, data sources, security controls, and what governance rules apply.

By connecting identity, governance, and security together, you can gain much more granular views into and control over how data is used.  

End to End Data Protection Use Case  

Let us look at an end-to-end use case. In this sample use case, we set up a data catalog service to discover data in Snowflake, classify sensitive data, and notify ALTR of sensitive data for consumption governance and protection. Here are the five simple steps to take for this use case.

1. Discover data from the Snowflake warehouse, schema, and tables. Automatically look for and classify sensitive data. This data could be any PII (Personal Identifiable Information), PHI (Protected Health Information), or data deemed sensitive by regulatory requirements such as GDPR (General Data Protection Regulation) or CCPA (California Consumer Protection Act).

2. Leverage In ALTR for , gaining data consumption intelligence based on the discovered data and consumption patterns from users and applications. With this intelligence, we will understand who is accessing sensitive data and why.

3. After identifying consumption patterns, we can use ALTR to govern access to sensitive data. We then place limits on data consumption, protecting data against credentialed threats.  

4. The last step is to further protect sensitive data by replacing it with mapless and keyless tokens using ALTR. This approach allows for the utmost security by giving you a way to tokenize data without using complex key management systems and requirements that make cryptographic alternatives hard to maintain and scale.

This end-to-end use case can be scaled to multiple data cloud platforms to govern and protect sensitive data distributed across cloud data platforms. ALTR provides the central data governance and security control point to manage policy once and affect data across your organization, significantly reducing complexity and cost for data protection.

To learn more about how ALTR can help your business, check out the latest demo from ALTR CTO, James Beecham, here.

‍

After another up and down year of COVID, I’m looking forward to some holiday joy, and to some fun holiday shopping. Like many others since the start of the pandemic I’ll be doing a lot of that buying from home, online. And some of the hottest items on the list – from smart watches to picture frames – come with internet connectivity built in. All of this has me wondering about the data that will be collected about me or my family in the upcoming holiday season.  

Many of the articles I found when searching for “online holiday shopping data privacy” put the responsibility on consumers, with reems of advice on what we should do to protect our data. But that’s actually harder for consumers than ever. Although a handful of state-level privacy regulations were passed this year, the lack of a consistent state by state consumer data privacy laws, or a US federal law like GDPR, makes it very challenging for consumers to understand what they’re agreeing to or what they might be giving up.  

This means online retailers must step up. The flip side to the benefits of gathering data is the responsibility to keep it safe. Is your data privacy program ready for the holiday season? Is it naughty or nice?  

Online holiday shopping is bigger than ever (and so is customer data collection)

COVID-19 threw a hitch into a lot of normal activities last year – from working from home to learning from home to watching movies from home. Sensing a trend? Holiday shopping was no exception. Before last year’s shopping season, a Deliotte survey showed 64% of respondents planned to spend their holiday shopping budgets online. For the first time, Cyber Monday surpassed Black Friday with 59% of respondents planning to shop on Cyber Monday versus 48% on Black Friday.  

The trend continues this year with two-thirds (66%) of respondents to a leading customer data platform survey saying they buy online now more than they did before the pandemic. For the holidays this year, nearly half plan to combine in-store and online shopping, and more than one-third plan to use e-commerce exclusively.  

This increase in online shopping has led to an increase in online shopping data – creating both a windfall and a responsibility for retailers.  

Concern over customer data privacy hasn’t magically disappeared

COVID has convinced some consumers to overcome their distrust of online shopping – the Holiday Shopping ID Theft survey showed that 73% of those who avoided online shopping in the past say they have become more comfortable shopping online since the start of the pandemic. But 66% of surveyed still expressed concern about their financial or personal information being compromised due to a data breach while shopping this holiday season.  

This concern is no surprise – even though most consumers are unaware of all the data gathered about them while online shopping, even just the leak of name, a credit card number, and address could lead to issues. On top of that, retailers collect info about what customers are buying, sites visited, products considered, browsing patterns, and more. Consumers say they value privacy over customized marketing, but as customized marketing continues to be effective for retailers, there are no signs of this slowing.  

Ensure your customer data privacy program makes the “nice” list

It’s practically impossible for consumers to have a clear idea of all the data companies are gathering on them because it’s primarily behind the scenes, with a cookie notification popping up here and there. And let’s be honest, we all just click whatever it takes to make the pop up go away and get on with our shopping – just like we do with terms and conditions! Companies that value their customer relationships should take these steps to keep customer data as secure as this year’s secret Santa list:  

1. Know the data you’re gathering and storing: Responsible retailers need to find and classify all customer data, discover where sensitive data like credit card and social security numbers are stored, and be ready to prove to regulators they have that knowledge.  

2. See, understand, and document who is accessing that data in real time: Knowing about the data is just the first step. If you can’t see who is accessing it, how can you be sure it’s being used as it should be? Make sure you have a tool (like your own personal Elf on the Shelf) that reports back to you on data access and usage by user. This helps you understand what normal data usage looks like and quickly identify when users step out of line. Keep a tamper-proof record of this access to share with regulators as needed.  

3. Control access and mask sensitive data based on data governance policies: Implement a tool to control access and dynamically mask sensitive data so that only the allowed data goes to approved users at the right time, in line with the policies in place to comply with privacy regulations.  

4. Use risk-based thresholds to stop unapproved access: Once you have a clear view of who’s using what data, when and how much is needed to execute specific tasks (like emailing a discount for a hot holiday item), set up limits and thresholds to ensure sensitive data doesn’t get into the wrong hands. This confirms that only the data needed to carry out business objectives is shared and limits the potential risk of credentialed access data theft.  

The hottest gift this holiday season? Customer data privacy

With so much being thrown at consumers over the last two years, the best gift retailers can give their customers this holiday season is to take one more worry off their plates: data privacy. Retailers need to ensure sensitive and private customer data is controlled and protected, keeping it safe, so consumers can just focus on finding the latest, coolest gadgets and spreading holiday cheer in a year when we need that more than ever.  

When you analyze a company’s journey as it becomes a more data-driven organization, you start to see some pretty clear patterns. Invariably, we see customers walking the path below regardless of industry vertical or company size:

Understanding sensitive data

• Discover and classify sensitive data
• Understand who is accessing sensitive data (and when, how much, and how)

Governing sensitive data

• Add controls governing access to sensitive data
• Add controls to ensure data privacy and regulatory compliance

Protecting sensitive data

• Apply advanced controls to limit data risk and integrate security
• Tokenize critically sensitive data to protect against direct access threats

Everyone has these same needs around their sensitive data—and a heck of a lot more—but these are what we keep seeing as core requirements. The very first item on this path is sensitive data classification. If you think about it, you can’t really get started until you understand what and where your sensitive data is. Once you do that, applying governance and security policies is a matter of doing the work (for any data engineers reading, yes, a lot of work. Contact us!)

Learn about what is considered sensitive data and what kind of security it requires.

Heck, we need sensitive data classification too. It allows us to better understand and report on data consumption, more easily apply access governance controls, detect sensitive data in new data sources, and help our customers be confident that their data is both private and secure.

When it comes to sensitive data classification, there are products out there doing a great job at that already. To add support in our own platform, we didn’t need to reinvent the wheel, we just had to add the classification “wheel” to our product’s “car”. Our customers can simply choose which classification provider they use, and ALTR’s integrations will take care of the rest, improving reporting on data access and making it even easier to implement governance controls.

For companies without a current classification provider, we have out-of-the-box integrations for Google DLP and Snowflake's native classification so everyone who uses ALTR can start on the path to full data access governance and security easily.

At ALTR, we want remove the burdens of data classification as you grow, add more data, users, and platforms into the mix. We do as much of the heavy lifting ourselves as possible, delivering new and unique features that layer advanced data security on top of governance controls (for a primer on how governance and security are intertwined, check out this blog post. But we also believe this involves connecting the broader data ecosystem together so the tools and platforms you use share a unified understanding of your data. We’re excited that our support for data classification is an extension of this belief.

Learn more about ALTR's sensitive data classification.

See how doing sensitive data classification yourself in Snowflake compares to doing it with ALTR.

If you’d like to see sensitive data classification in action, request a demo!

What’s going on?

The 2020 Verizon Breach Report shows that breaches are up nearly 100% from last year, and threats are evolving at an alarming rate with more and more people working from home since March of 2020. This marks the fourth year in a row that stolen credentials are the number one source of breaches and hacking. (For our purposes here, hackers can be defined, at a very high level, as one of three things: those utilizing stolen or brute-forced credentials; those exploiting vulnerabilities; attackers using backdoors and command and control [C2] functionality.) Four years in a row is certainly long enough to call it an established trend, so let’s talk about why this is happening.

To start, we’ll explore the vectors where attacks are happening less. Websites are getting smarter about SSL/TLS, so plain text interception attacks are on the decline. Browsers like Google Chrome and Firefox are getting more aggressive about protecting against man-in-the-middle and eavesdropping attacks, leading to a decrease in IP spoofing, SSL hijacking, and the like. While it’s great news that these types of attacks are trending downward, the consequence is that now the only way in is with usernames and passwords. That’s great news for attackers since most people are lazy when it comes to their passwords... but bad news for users.

Credential Stuffing: when hackers exploit users that reuse passwords across different services

Do you use one key for your house, storage unit, office, safe, bike lock, and car? Probably not. It should really be no different when it comes to your different online services; if you use one password or a variation of one password for your Netflix, email, bank account, E*Trade, etc., then guess what? If someone steals your password, they’re going to have a field day with all that data. Maybe you’re not the type of person who uses a similar password for everything... but the average person certainly does. A recent blog published by eBanking platform Q2 shows that most people have more than 200 online accounts and only 8-10 unique passwords. So if I guess or steal one of your passwords, that means I’ll have access to at least 20 of your accounts (on average, of course).  

Password managers for the win

Obviously it would be a huge pain to have to create a complex, really-hard-to-guess, unique password for each of your ~200 accounts. Wouldn’t it be great if there was a tool that could do that for you? Aha! There is. It’s called a password manager, and you should 100% use one. You can’t really go wrong when picking one: there’s LastPass, OneLogin, KeePass, Dashlane, and plenty more. Even your web browsers like Chrome, Firefox, and Safari have native password management capabilities (though we’d warn against those as most of them store your passwords on your computer in an unencrypted form).

Either way, any password manager is better than using the same password for all accounts. Use one for your personal accounts; use one for your work accounts; use one for everything! Just use it, please.

Why listen to me?

Even as a security expert, I didn’t realize how important a password manager was until a few years ago. I used to have three passwords: one without numbers, one with numbers, and one with numbers and symbols. The end. But then I got smarter, and I started using LastPass – I’m safer; my company is safer; my family is safer; and everything is just oh-so-much better (and easier). If you don’t believe me, maybe you'll listen to Forrester Analyst, Brian Kime, who claims that a password manager “could save your marriage”... just saying.

It’s not hard to start using either, and it doesn't have to be a whole big event. Download the password manager and as you go about your normal day logging into sites or services, just spend 30 seconds max changing your password for each site you visit. That’s all there is to it!

And if you’re wondering, “what if someone steals the password for my password manager?!” Well, I’d recommend using a device where you can use your fingerprint or face scan to login; in lieu of that, a password manager will also generate a random, nearly impossible-to-guess password for you. So just do it.

The cybersecurity journey is never over since bad actors are constantly evolving along with new technologies. Password managers are just the first step to protecting your sensitive data. But as we mentioned at the beginning, stolen passwords are still on the rise. So, along with password managers, organizations need a strategy to ensure their data is safe if/when credentials are compromised. That’s where ALTR can help.

To learn more, get a demo!

Whether at work or for personal purposes, it seems like every website from online stores to news outlets requires a login these days. That’s a lot of passwords for you to manage, and it’s only human to take a shortcut or two. But even when you follow every password best practice, hackers have a way of getting around your defenses. According to a recent Verizon report, 81% of data breaches involve weak or stolen passwords. With employees who have passwords for countless applications, how can organizations possibly keep their data safe day in and day out? You need to understand the threat before you can find the solution that best fits your situation. In part one of this series we will explore the threats around guessed and stolen credentials.

People Are Predictable

Humans are creatures of habit, and hackers are very aware of it. By using brute force or dictionary attacks – or simply by peering over someone’s shoulder – hackers essentially “guess” user passwords based on their knowledge of password habits and open source intelligence. This is especially true for weak passwords (“123456,” “111111” and “password,” to name a few) that continue to be frequently used across multiple applications and platforms. To quote a prophetic 1970s Jackson 5 lyric, “abc, it’s as easy as 123.”

Lack of Diversity

Passwords are like stocks; you should never put all of your faith in just one. No matter how strong and reliable a password seems, it only takes one high-profile data breach (Target, Capital One, Equifax, etc.) to land a clever arrangement of numbers, letters and punctuation marks on some international hacker database. In a survey of 1000 individuals in the US, more than half used the same password for multiple online logins. When employees use the same password for everything, including your website or app, it’s like they’re handing cybercriminals a key to your front door.

Keeping Compromised Passwords in Circulation

Even when someone gets that dreaded notification that one of their (hopefully many) passwords has been compromised, they’ll often “wait it out” or change a single character instead of coming up with something completely different. Cybersecurity expert Troy Hunt notes that once a password or passphrase is exposed by a data breach, it is no longer secure. Attackers hoard the information exposed in these breaches and engage in credential stuffing, testing the combinations on unrelated sites. It’s only a matter of time before they discover your employee couldn’t be bothered to significantly change their credentials.

Plenty of Phish in the Sea

Cybercriminals are also adept at manipulating credentialed users into giving away passwords through phishing and spear-phishing campaigns. Take the “rescheduled meeting” scam popping up in thousands of corporate inboxes earlier this year, where employees were duped into providing hackers with their usernames and passwords. One study shows that even after implementing security awareness and phishing identification training programs in a workplace, users click on phishing emails almost 25% of the time. Encouraging your employees to keep a close eye on their inboxes could stop you from becoming some hacker’s greatest catch.

Solution: Think Outside of the Login Box

So how should organizations prevent a cybercriminal from getting to their sensitive data through employees’ passwords? While all of the steps above are helpful to preventing stolen passwords, the bottom line is you need to still assume someone will get through. You need to have technology and policy in place to protect your data even when a cybercriminal gets access to credentials. ALTR’s Data Security platform allows you to mask certain data so that the employee only has access to the fewest fields that they need in order to do their job. This means the cybercriminal only has access to minimal fields if/when they get into the application. Secondly, ALTR allows you to set thresholds for how much data an employee can access. When the cybercriminal or disgruntled employee tries to smash and grab all the data, they will only get away with a fragment of the data they were trying to get. These innovative security measures make compromised credentials a concern of the past.

To get more insight into how to protect your data with ALTR, download our free white paper, How to Address the Top 5 Human Threats to Your Data.

‍

Even in the best of times, it can be a lonely experience living away from family in a retirement home or extended-living facility. But during the current coronavirus epidemic, residents of these homes are more isolated than usual, and often completely shut in. In this setting, something as simple as having a smartphone for video calls with family members can make a real difference in residents’ quality of life.

Working in tech, we at ALTR often use the latest models of smartphones for work and personal tasks. When we recently found ourselves with a surplus of slightly older phones that still had plenty of life in them, we looked for a way to repurpose the phones in the Austin area, where ALTR is headquartered. The opportunity we found exceeded our expectations.

Working with a local contact, we first determined the need for phones in local nursing homes. Then, ALTR’s technical crew made sure the phones were securely erased of any sensitive data and matched with the appropriate plugs and cables. Then we delivered them to the homes that needed them most.

Because each home typically has just one shared house phone without video, having a good smartphone or two on hand is a big plus for enabling residents to see their loved ones’ faces as they talk with them. Over the past couple of weeks, our team has distributed 20 phones to more than a dozen nursing and extended-living homes in Austin and nearby towns.

The staff at one assisted-living facility reported that they have now explained to their clients how family members of residents can take advantage of the new opportunity to connect. They assured us that the phone “is very much appreciated and definitely will be used.”

We know that this is just a small effort in these trying times, but we were happy we could take these steps to meet a real need for people in our community. And we’ll keep looking for new ways to help. 

If you’d like to do the same, search for organizations in your area that are collecting donations in response to COVID-19. Here in Austin, for instance, the Ascension Texas healthcare group has guidelines for donating used iPads, along with new medical supplies such as personal protective equipment (PPE). Meanwhile, the national non-profit #CareNotCOVIDinitiative can help you find local facilities for giving nursing homes new electronic devices, books, games, medical supplies, and more. We hope you’ll consider pitching in!

‍

‍