BLOG SPOTLIGHT
Navigating the chaos of data security in the age of GenAI—let’s break down what needs to happen next.
Read more
Popular
Sep 20
0
min
ALTR Welcomes Laura Malins as VP of Product
ALTR continues to strengthen its leadership team, and the latest addition brings a wealth of technical expertise and a fresh perspective to our growing company. We’re thrilled to welcome Laura Malins as the newest member of the ALTR family and VP of Product. With over a decade of experience in data, Laura’s extensive background across industries and technical roles makes her an invaluable asset as we continue to push the boundaries of data security and governance.
From Matillion to ALTR: A Proven Leader in Data Innovation
Laura joins us from Matillion, where she spent the past ten years shaping the future of data transformation. As VP of Product, she ran the Matillion ETL Product and spearheaded the launch of their revolutionary SaaS offering, Data Productivity Cloud. Her ability to understand deeply technical challenges and translate them into user-friendly solutions has earned her recognition as a product leader in the data space.
“I’ve worked with ALTR for a few years now and have always admired the company and the product. Data security platforms are becoming more pertinent than ever, and ALTR’s innovative product is well-positioned to support compliance and security requirements. I’m delighted to join such a strong and ambitious team, and I look forward to taking the product to the next level,” Laura shares.
Laura’s deep technical expertise and user-focused approach will be pivotal in pushing ALTR’s product suite to new heights. Her ability to bridge the gap between complex data challenges and practical, user-friendly solutions aligns seamlessly with our vision of delivering powerful, scalable data access control. With her proven leadership, we anticipate not just product evolution but transformation—bringing enhanced capabilities to our customers while staying ahead of the ever-evolving data security landscape. Laura’s leadership will help us continue empowering businesses to protect their most valuable assets while driving innovation forward.
Sep 19
0
min
Data Security for Generative AI: Where Do We Even Begin?
If you haven’t noticed the wave of Generative AI sweeping across the enterprise hardware and software world, it certainly would have hit you within 5 minutes of attending Big Data London, one of the UK’s leading data, analytics, and AI events. Having attended last year’s show, I can confidently say AI wasn’t nearly as dominant. But now? It’s everywhere, transforming not just this event but countless others. AI has officially taken over!
As a data security focused person, it is exciting and terrifying to see all the buzz. I’m excited because it feels like we’re on the verge of a seismic shift in technology—on par with the rise of the web or the cloud—driven by GenAI. And I get to witness it firsthand! But it is terrifying to see all the applications, solution consultants, database vendors and others selling happy GenAI stories to customers. I could scream into the loud buzz of the show floor, “We have seen this movie before! Don’t let the development of GenAI applications outpace the critical need for data security!” I’m thinking about the rush to web, the rush to mobile, the rush to cloud. All of these previous shifts suffer from the same thing: security is boring and we don’t want to do it. What definitely wasn’t boring was using a groundbreaking mobile app from 1800flowers.com to buy flowers—that was cool! Let’s have more of that! Who cares about security, right? That can wait…
Cyber security, and data security in particular, have had the task of keeping up with the excitement of new applications for decades. The ALTR engineering office is in beautiful Melbourne, FL just a few hours away from Disney. When I see a young mother or father with a concerned look racing after their young child who couldn’t care less that they are about to get run over by a popcorn stand, I think “Application users are the kids, security people are the parent, and GenAI is whichever Disney character the kid can’t wait to hug.” It’s cute, but dangerous. This is what is happening with GenAI and security.
As applications have evolved so has data security. Below is an example of these application evolutions and how security has adapted to cover the new weaknesses of each evolution.
What is Making Generative AI Hard to Secure?
The simple answer is: we don’t fully know. It’s not just that we’re still figuring out how to secure GenAI (spoiler: we haven’t cracked that yet); it’s that we don’t even fully understand how these Large Language Models (LLMs) and GenAI systems truly operate. Even the developers behind these models can’t entirely explain their inner workings. How do you secure something you can’t fully comprehend? The reality is—you can’t.
So, what do we know?
We know two things:
1. Each evolution of applications and data products has been secured by building upon the principles of the previous generation. What has been working well needs to be hardened and expanded.
2. LLMs present two new and very hard problems to solve: data ownership and data access.
Let’s dive into the second part first. To get access to the hardware currently required to train and run LLMs we must use cloud or shared resources. Things like ChatGPT or NVIDA’s DGX cloud. Until these models require less hardware or the hardware magically becomes more available, this truth will hold.
Similar to the early days of the internet, sensitive information was desired to be sent and received on shared internet lines. The internet was great for transmitting public or non-sensitive information, but how could banking and healthcare use public internet lines to send and receive sensitive information? Enter TLS. This is the same problem facing LLMs today.
How can a business (or even a person for that matter) use a public and shared LLM/GenAI system without fear of data exposure? Well, it’s a very challenging. And not a problem that a traditional data security provider can solve. Luckily there are really smart people working on this solution like the folks at Protopia.ai.
So, data ownership is being addressed much like how TLS solved the private-information-flowing-on-public-internet-lines. And that’s a huge step forward. What about data access?
This one is a bit tougher. There are some schools of thought about prompt control and data classification within AI responses. But this feels a lot like CASB all over again, which didn’t exactly hit the mark for SaaS security. In my opinion, until these models can pinpoint exactly where their responses are coming from—essentially, identify the data sets they’ve learned from —and also understand who is asking the questions, we’ll continue to face risks. Only then can we prevent situations where an intern asks questions and gets answers that should only be accessible to the CEO.
Going back to what we know, the first item, we will need to build upon the solid data security foundations that got us to this point in the first place. It has become clear to me that for the next few years, Retrieval-Augmented Generation (RAG) will be how enterprises globally interact with LLMs and GenAI. While this is not a silver bullet, it’s the best shot busineses have to leverage the power of public models while keeping private information safe.
With the adoption of RAG techniques, the core data security pillars that have been bearing the load of a data lake or warehouse to date will need to be braced for extra load.
Data classification and discovery needs to be cheap, fast, and accurate. Businesses must continuously ensure that any information unsuitable for RAG workloads hasn’t slipped into the database from which retrieval occurs. This constant vigilance is crucial to maintaining secure and compliant operations. This is the first step.
The next step is to layer access control and data access monitoring such that the business can easily set the rules for which types of data are allowed to be used by the different models and use cases. Just as service accounts for BI tools need access control, so to do service accounts for the purposes of RAG. On top of these access controls, near-real-time data access logging must be present. As the RAG workloads access the data, these logs are used to inform the business if any access has changed and allows the business to easily comply with internal and external audits proving they are only using approved data sets with public LLMs and GenAI models.
Last step, keep the data secure at rest. The use of LLMs and GenAI will only accelerate the migration of sensitive data into the cloud. These data elements that were once protected on-prem will have to be protected in the cloud as well. But there is a catch. The scale requirements of this data protection will be a new challenge for businesses. You will not be able to point your existing on-prem-based encryption or tokenization solution to a cloud database like Snowflake and expect to get the full value of Snowflake.
When prospects or customers ask me, “What is ALTR’s solution for securing LLMs and GenAI” I used to joke with them and say, “Nothing!” But now I’ve learned the right response, “The same thing we’ve always done to secure your data—just with even more precision and focus for today’s challenges.” The use of LLMs and GenAI is exciting and scary at the same time. One way to reduce the anxiety is to start with a solid foundation of understanding what data you have, how that data is allowed to be used, and whether you prove that the data is safe at rest and in motion.
This does not mean you cannot use ChatGPT. It just means you must realize that you were once that careless child running with arms wide open to Mickey, but now you are the concerned parent. Your teams and company will be eager to dive headfirst into GenAI, but it’s crucial that you can articulate why this journey is complex and how you plan to guide them there safely. It begins with mastering the fundamentals and gradually tackling the tough new challenges that come with this powerful technology.
Sep 9
0
min
ALTR Expands GTM Team with Powerhouse Hires to Lead the Charge in Data Security
ALTR isn’t just keeping pace with the evolving data security landscape—we’re setting the speed limit. As businesses scramble to safeguard their data, ALTR is not just another player in the game; we’re the go-to solution for bulletproof data access control and security. And today, we’re doubling down on that promise with three strategic hires to turbocharge our Go-To-Market (GTM) strategy.
Meet the Heavy Hitters
Christy Baldassarre
Christy Baldassarre joins us as our new Director of Marketing, bringing a formidable blend of strategic vision and execution prowess. With a track record of driving brand growth and market penetration, Christy excels at crafting compelling narratives that resonate with target audiences. She’s a master at turning complex concepts into clear, impactful messaging and knows how to leverage the latest digital marketing tactics to amplify ALTR’s voice.
"I am excited to be on such a great team and to be a part of taking ALTR to the next level. I chose ALTR because of its excellence in Cloud Security and Data Protection. This is a great opportunity to collaborate with such a visionary team and contribute to groundbreaking solutions that not only push boundaries but set new standards of how to keep everyone’s data safe." - Christy
Rick McBride
Rick McBride, our new Demand Gen Manager, brings a deep expertise in go-to-market strategy. With a strong foundation in business development, Rick has honed his skills in identifying opportunities and driving pipeline growth from the ground up. He’s not just about crafting campaigns; Rick knows how to connect with decision-makers and convert interest into action.
“A successful go-to-market strategy thrives on seamless collaboration across various teams, and our GTM group is poised to be the driving force behind it. We're set to champion the Snowflake ecosystem—engaging with customers, Snowflake’s Field Sales team, and partners alike—to fuel strategic growth. By leveraging Snowflake's powerful native capabilities in Security and Governance, we aim to deliver at the speed and scale that Snowflake users expect. We're thrilled to extend this value to every organization that prioritizes and trusts Snowflake for their data management needs!” - Rick
George Policastro
Next, we've got George Policastro as our newest Account Executive. George is a seasoned sales professional with a proven track record of closing complex deals and delivering results. His strengths lie in his ability to deeply understand client needs, build lasting relationships, and strategically navigate the sales process to drive success.
"I’m thrilled to join ALTR and tackle one of the biggest challenges organizations face today: securing their sensitive data while unlocking its full potential to drive business growth." - George
ALTR: Defining the Future of Data Access Control and Security
The world of data security and governance has evolved dramatically from the days of simple perimeter defenses. Now, we’re dealing with sophisticated, multi-layered security strategies that need to keep up with cybercriminals who are more aggressive and resourceful than ever. The core principles—knowing where your data is, who can access it, and ensuring its protection—haven’t changed. However, as data moves to the cloud, the challenge is achieving these goals at an unprecedented scale and speed.
That’s where ALTR excels. We’re not just providing solutions; we’re reimagining what data access control and security can be in a cloud-first world. By cutting through the complexities and inefficiencies of traditional methods, we deliver a streamlined, scalable approach that makes data security both simple and powerful. Our intuitive automated access controls, policy automation, and real-time data observability empower organizations to protect sensitive data at rest, in transit, and in use—effortlessly and at lightning speed. With ALTR, securing your data isn’t just more accessible; it’s smarter, faster, and designed for today’s dynamic cloud environments.
With our latest GTM team expansion, we’re fortifying our foundation to evolve into a cloud data security market leader who’s not just part of the conversation but is driving it.
Sep 3
0
min
Unleashing the Power of FPE: ALTR Key Sharing Meets Snowflake Data Sharing
In a world where data breaches and privacy threats are the norm, safeguarding sensitive information is no longer optional—it's critical. As regulations tighten and privacy concerns soar, our customers are demanding cutting-edge solutions that don't just secure their data but do so with finesse. Enter Format Preserving Encryption (FPE). When paired with ALTR's capability to seamlessly share encryption keys with trusted third parties via platforms like Snowflake's data sharing, FPE becomes a game-changer.
Understanding Format Preserving Encryption (FPE)
Format Preserving Encryption (FPE) is a type of encryption that ensures the encrypted data retains the same format as the original plaintext. For example, if a credit card number is encrypted using FPE, the resulting ciphertext will still appear as a string of digits of the same length. This characteristic makes FPE particularly useful in scenarios where maintaining data format is crucial, such as legacy systems, databases, or applications requiring data in a specific format.
Key Benefits of FPE
Seamless Integration
FPE maintains the data format, allowing easy integration into existing data pipelines without requiring significant changes. This minimizes the impact on business operations and reduces the costs associated with implementing encryption.
Compliance with Regulations
Many regulatory frameworks, such as the GDPR, PCI-DSS, and HIPAA, mandate the protection of sensitive data. FPE helps organizations comply with these regulations by ensuring that data is encrypted to preserve its usability and format, which can sometimes be a requirement in these standards.
Enhanced Data Utility
Unlike traditional encryption methods, FPE allows encrypted data to be used in its existing form for specific operations, such as searches, sorting, and indexing. This ensures organizations can continue to derive value from their data without compromising security.
The Role of Snowflake in Data Sharing
Snowflake is a cloud-based data warehousing platform that allows organizations to store, process, and analyze large volumes of data. One of its differentiating features is data sharing, which enables companies to share live, governed data with other Snowflake accounts in a secure and controlled manner while also shifting the cost of the computing operations of the data over to the share's consumer.
Key Features of Snowflake Data Sharing
Real-Time Data Access
Snowflake's data sharing allows recipients to access shared data in real-time, ensuring they always have the most up-to-date information. This is particularly valuable in scenarios where timely access to data is critical, such as in financial services or healthcare.
Secure Data Exchange
Snowflake's platform is designed with security at its core. Data sharing is governed by robust access controls, ensuring only authorized parties can view or interact with the shared data. This is crucial for maintaining the confidentiality and integrity of sensitive information.
Scalability and Flexibility
Snowflake's architecture allows for easy scalability, enabling organizations to share large volumes of data with multiple parties without compromising performance. Additionally, the platform supports a wide range of data formats and types, making it suitable for diverse use cases.
The Power of Combining FPE with Snowflake’s Key Sharing
When FPE is combined with the ability to share encryption keys via Snowflake's data sharing, it unlocks a new level of security and flexibility for organizations. This combination addresses several critical challenges in data protection and sharing:
Controlled Access to Encrypted Data
By leveraging FPE, organizations can encrypt sensitive data while preserving its format. However, there are scenarios where this encrypted data needs to be shared with trusted third parties, such as partners, auditors, or service providers. Through Snowflake's data sharing and ALTR's FPE Key Sharing, companies can securely share encrypted data along with the corresponding encryption keys. This allows the third party to decrypt the data within the policies that they have defined and use it as needed.
Data Security Across Multiple Environments
In a multi-cloud or hybrid environment, data often needs to be moved between different systems or shared with external entities. Traditional encryption methods can be cumbersome in such scenarios, as they require extensive reconfiguration or critical management efforts. However, with FPE and Snowflake's key sharing, organizations can seamlessly share encrypted data across different environments without compromising security. The encryption keys can be securely shared via Snowflake, ensuring only authorized parties can decrypt and access the data.
Regulatory Compliance and Auditing
Many regulations require organizations to demonstrate that they have implemented appropriate security measures to protect sensitive data. By using FPE, companies can encrypt data that complies with these regulations. At the same time, the ability to share encryption keys through Snowflake ensures that data can be securely shared with auditors or regulators. Additionally, Snowflake's robust logging and auditing capabilities provide a detailed record of who accessed the data and when which is essential for compliance reporting.
Enhanced Collaboration with Partners
In finance, healthcare, and retail industries, collaboration with external partners is often essential. However, sharing sensitive data with these partners presents significant security risks. By combining FPE with ALTR's key sharing, organizations can securely share encrypted data with partners, ensuring that sensitive information is transmitted throughout the data's lifecycle, including across shares. This enables more effective collaboration without compromising data security.
Efficient and Secure Data Processing
Specific data processing tasks, such as data analytics or AI model training, require access to large volumes of data. In scenarios where this data is sensitive, encryption is necessary. However, traditional encryption methods can hinder the efficiency of these tasks due to the need for decryption before processing. With FPE, the data can remain encrypted during processing, while ALTR's key sharing allows the consumer to decrypt data only when absolutely necessary. This ensures that data processing is both secure and efficient.
Use Cases of FPE with ALTR Key Sharing
To better understand the value of combining FPE with ALTR's key sharing, let's explore a few use cases:
Financial Services
In the financial sector, organizations handle a vast amount of sensitive data, including customer information, transaction details, and credit card numbers. FPE can encrypt this data while preserving its format, ensuring it can still be used in legacy systems and applications. Through Snowflake's data sharing, financial institutions can securely share encrypted transaction data with external auditors, partners, or regulators, along with the necessary encryption keys. This ensures compliance with regulations while maintaining the security of sensitive information.
Healthcare
Healthcare organizations often need to share patient data with external entities, such as insurance companies or research institutions. FPE can encrypt patient records, ensuring they remain secure while preserving the format required for healthcare applications. Snowflake's data sharing allows healthcare providers to securely share this encrypted data with third parties. At the same time, ALTR enables the sharing of the corresponding encryption keys, enabling them to access and use the data while ensuring compliance with HIPAA and other regulations.
Retail
Retailers often need to share customer data with marketing partners, payment processors, or logistics providers. FPE can be used to encrypt customer information, such as names, addresses, and payment details while maintaining the format required for retail systems. Snowflake's data sharing enables retailers to securely share this encrypted data with their partners; with ALTR, the encryption keys are also shared, ensuring that customer information is always protected.
The Broader Implications for Businesses
The combination of Format Preserving Encryption and ALTR's key-sharing capabilities represents a significant advancement in the field of data security. This approach addresses several critical challenges in data protection and sharing by enabling organizations to securely share encrypted data with trusted third parties.
Strengthening Trust and Collaboration
In an increasingly interconnected world, businesses must collaborate with external partners and share data to remain competitive. However, this collaboration often comes with significant security risks. By leveraging FPE and ALTR's key sharing, organizations can strengthen trust with their partners by ensuring that sensitive data is always protected, even when shared. This leads to more effective and secure collaboration, ultimately driving business success.
Reducing the Risk of Data Breaches
Data breaches, including financial losses, reputational damage, and regulatory penalties, can devastate businesses. Organizations can significantly reduce the risk of data breaches by encrypting sensitive data with FPE and securely sharing it via Snowflake. Even if the data is intercepted, it remains protected, as only authorized parties with the corresponding encryption keys can decrypt it.
Enabling Innovation While Ensuring Security
As organizations continue to innovate and leverage new technologies, such as artificial intelligence and machine learning, the need for secure data sharing will only grow. The combination of FPE and ALTR's key sharing enables businesses to securely share and process data innovatively without compromising security. This ensures that organizations can continue to innovate while protecting their most valuable asset – their data.
Wrapping Up
Integrating Format Preserving Encryption with ALTR's key sharing capabilities offers a powerful solution for organizations seeking to protect sensitive data while enabling secure collaboration and innovation. By preserving the format of encrypted data and allowing for secure key sharing, this approach addresses critical challenges in data protection, regulatory compliance, and data sharing across multiple environments. As businesses navigate the complexities of the digital age, the value of this combined solution will only become more apparent, making it a vital component of any robust data security strategy.
ALTR's Format-preserving Encryption is now available on Snowflake Marketplace.
Browse All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Mar 16
0
min
Offensive vs. Defensive Data Strategy: Why Not Both?
ALTR Blog
In the Data Management Body of Knowledge, data strategy is defined as a “set of choices and decisions that together, chart a high-level course of action to achieve high-level goals.” Data strategy sits at a critical spot within any organization: you’re defining what you’re going to do with data to reach the business outcomes you want to achieve. In doing so, you must take into account things like your regulatory environment, current infrastructure, and the limits on what you’re able to do with data.
In an article published in Harvard Business Review, the authors view data strategy as having two styles: offense and defense. Offensive data strategy focuses on getting value out of data to build better products, improve your competitive position, and improve profitability, while a defensive data strategy is focused on things like regulatory compliance, risk mitigation, and data security. An organization must make considered trade-offs between offense and defense, the authors propose, as there are limited resources available and attempting to accomplish all of your offensive and defensive goals is akin to having your cake and eating it too.
Here’s the thing: we disagree.
The Harvard Business Review article was published in the spring of 2017, before the privacy regulations we know and love today were in effect, before 2020’s massive shift to the cloud, and before data solidified itself as the critical new trend. The world has changed since then, yet this viewpoint is still echoed by leaders in the fields of data governance and data management as true. It’s time to take a step back and refresh our thinking. Here’s what we know:
Offensive data strategy is now much easier
Hardly anyone knew the name “Snowflake” in 2017, and in 2020 the Cloud Data Platform became the largest IPO by a software company in U.S. history. They did so by offering a simple way for organizations to store and analyze huge amounts of information. They’re not alone, either. Companies like Fivetran and Matillion make it easy to load data into cloud data platforms like Snowflake, while those like Tableau allow you to extract value from data within those platforms. With the shift to the cloud, it’s easier than ever to implement an offensive data strategy. Unfortunately, new and increasing privacy regulations mean your focus is forced elsewhere.
But, you must focus on defensive data strategy
The Harvard Business Review article was right when it said companies in highly regulated environments must focus on defensive data strategies. What wasn’t accounted for in 2017 were the sweeping privacy regulations that have come into effect around the globe. Now, every company is a regulated company and must spend time and resources implementing a defensive data strategy to avoid the costly penalties that come with a data breach. So if you must focus on defense, is there a way to somehow get the best of both worlds?
Simplicity is the key
Defensive strategies must take a page out of the offensive playbook and implement tools for risk mitigation, data governance, and data security as simply as possible. If tools can be implemented as services, without requiring resources to install and maintain, your team can accomplish both your offensive and defensive goals. Further, tools that can mitigate the risk of credentialed threats through proactive security allow you to enhance your offensive capabilities by moving more sensitive workloads to the cloud and sharing data with more teams.
You can have both offensive and defensive data strategies
You no longer have to make considered trade-offs between offensive and defensive data strategies. By implementing a defensive data strategy that mirrors the simplicity of your offensive tools, you can actually increase your ability to get value out of data. In this case, you truly can have your cake and eat it too.
ALTR's cloud platform helps mitigate data risk so you can confidently share and analyze sensitive data. To see how ALTR can help your organization request a demo or try it for yourself!
Apr 20
0
min
Forging Ahead with Simplicity: ALTR's New Integration with OneTrust
ALTR Blog
OneTrust is the #1 fastest growing company on the Inc. 500, and for good reason. Organizations big and small, including about half of the Fortune 500, rely on the OneTrust platform to easily operationalize privacy, security, and data governance. This is especially critical as data (and data privacy) solidifies itself as the next big trend.
While it’s easier than ever to get value out of data, managing data has never been more complicated. Organizations have more data than ever, with more users needing access to data than ever before. On top of this, data is riskier than ever, forcing teams responsible for Privacy, Legal, Security, Risk, and Compliance to manage growing privacy regulations and attack vectors at the same time.
OneTrust and ALTR have approached this problem from separate ends: OneTrust by simplifying privacy and governance policy and ALTR by simplifying the implementation and enforcement of those policies. While separate approaches, our vision of enabling secure, governed access to data is a shared one. By combining our technologies, we’re able to meet in the middle to provide a holistic solution for data governance and data security where data teams get access to the data they need, while governance, privacy, and legal teams feel confident in their customers' and employees' privacy, and security and risk teams ensure data remains protected. This is why we’re beyond excited to announce our partnership and integration.
Our partnership with OneTrust allows thousands of customers to more tightly integrate their governance, data, and security teams. We believe this will help our shared customers dramatically simplify data governance programs, using automation to close the gap between governance policy creation and security enforcement.
With our new integration, OneTrust scans data sources to catalog your sensitive data and create policy to govern access based on its sensitivity. OneTrust then uses this policy to automatically configure access controls within ALTR, and ALTR enforces your governance policy on every request for sensitive data.
This new partnership brings together OneTrust’s centralized platform for privacy, security, and data governance with ALTR’s advanced, real-time enforcement. With this, you can automate access to sensitive data and close the gap between policy creation and enforcement, at scale, in a really simple way.
OneTrust + ALTR. Simplify your data governance program through automation.
Check out the OneTrust and ALTR webinar, as we take a deeper dive into the benefits of this partnership along with a live demonstration of our new integration. Click here to watch the webinar on demand!
Aug 4
0
min
Security in the New Normal: Why Data Consumption Governance Is a Must
ALTR Blog
As a society, we’ve been forced seemingly overnight into a new work environment with offices closing (and many companies permanently downsizing office space) and remote work seeming more and more like it's here to stay. The new normal is sure to be more digital, and enterprises are moving quickly to adapt to these changes by enabling remote work and further accelerating the migration to the cloud. Unfortunately, these rapid changes have also opened up new avenues for attackers to exploit. If companies are to remain secure in the new normal, they’ll need to adapt their security posture as well.
Enterprises already invest heavily in security (worldwide security spending is already over $100 billion annually, and expected to grow to $170 billion by 2022), but still lack basic visibility into and control over the sensitive data they collect and consume. This lack of visibility prevents companies from understanding how their organization uses data and also from taking advantage of these data consumption patterns, a key requirement as we evolve into the age of data. Meanwhile, a lack of control around data consumption means while companies may have implemented controls around who is able to access data and what data they’re allowed to access, they’ve not closed a critical gap: how much data a credentialed request is allowed to consume.
These two factors — an inability to understand enterprise data consumption and a lack of control around how much data is allowed to be consumed — combined with a quickly evolving regulatory environment, create a perfect storm for today’s enterprises: credentialed requests for data are often able to consume without limits, opening up a level of risk that puts entire companies at stake. With the rapid changes demanded by today’s new normal, the urgency to close this gap has only grown in importance.
What are the impacts of unchecked data consumption?
Companies that don’t place limits on the consumption of sensitive data are already in very dangerous territory as they remain vulnerable to both insider and external threats. Verizon’s latest Data Breach Investigations Report informs us that inside actors are involved in 30% of data breaches, and over 80% of hacking-related breaches (hacking by external parties is the most common type of threat action) involve the use of brute-force attacks or stolen credentials. The common denominator here is clear: having credentials is the best way to obtain what threat actors are looking for — sensitive data.
In addition to the financial impacts of a breach (CCPA fines can be up to $7,500 per record, for example), the impacts to brand reputation and operations pile up quickly, with strategic efforts put on hold while team members turn into firefighters and customers lose trust in the company.
To mitigate these risks, enterprises need a solution that provides observability and control over data consumption. These controls provide confidence in the security of the organization’s data no matter where it lives, enabling companies to properly and rapidly take advantage of the migration to the cloud. In fact, it’s only by having these capabilities that organizations can confidently and securely enter the new normal.
How can you gain both visibility and control?
Ideally, it would be great if you could treat your data the same way banks treat money in an ATM. Here’s the process as we see it:
- Identity: In order to access your funds, you need to present a card to show who you are.
- Multi-factor authentication: You must also enter a PIN code to prove your identity.
- Privilege: Once you’re authenticated, you only have access to your funds, not anyone else’s.
- Auditing: When you deposit or withdraw funds, you’re monitored with a camera and your actions are recorded.
This is where most companies are today, and where security tools offer their services. You’re able to solve for identity, authentication, and privilege, and most tools can provide some level of auditing for you as well. However, there is a major piece missing from the enterprise’s arsenal that banks solved a long time ago: controlling how much someone is able to consume — money in the bank’s case, data in ours.
- Thresholds: Limits on how much you can consume per transaction or over time.
For security and logical reasons, banks place limits on the amount of money you’re allowed to withdraw from an ATM. These limits are enforced on individual trips to the ATM, as well as contextually throughout the day. Limits like this protect the end user from fraudulent activity, protect the bank from customers withdrawing more money than they have (either accidentally or maliciously), and ultimately build trust in the bank’s ability to securely store its customers’ money.
This is exactly what enterprises need to be doing with sensitive data. You need the ability to contextually understand consumption patterns across all sensitive data (whether PII, PHI, or PCI data), limit how much data a request is allowed to consume, and proactively prevent requests from consuming more data than they are allowed to.
How ALTR helps companies enter the new normal
With ALTR, organizations can set governance policy to limit the consumption of sensitive data across the enterprise. Each time sensitive data is requested, ALTR records both the request itself and metadata around the request (which data was requested, how much, when, from where, etc.), and analyzes the request against ALTR’s risk engine before allowing or preventing the return of sensitive data. Data consumption and policy-related information can be sent to enterprise SIEMs and external security clouds and visualization tools (like Snowflake and Domo) for further analysis so the company can understand and learn from its data consumption behavior.
By implementing data consumption governance with ALTR, enterprises can understand how their organization consumes sensitive data, protects that data, protects their customers, keeps up with a rapidly changing regulatory environment, builds trust, and solidifies their reputation while securely and confidently entering the new normal.
Ready to learn more about improving visibility into and control over your organization's data consumption? Check out this brief overview or reach out to get the conversation started. We’d love to hear from you!
Feb 23
0
min
Mastering multi-cloud data governance and security
ALTR Blog
In part one of this series, we talked about how 2020’s massive increase in the use of cloud data platforms lead to organizations rushing to get to the fastest “time to data and insights”. This meant they were left with no option but to consider data governance and security last, which is massively problematic not only for regulatory reasons but for financial reasons as well. So part one was more about the problem; this article will address the solution.
Step one: data discovery and classification
A multi-cloud data governance and security architecture starts with the data generated and where that data is stored. Data sources can span between OLTP databases to large data sets used for data science. These databases exist across multiple cloud data platforms (Snowflake, AWS Redshift, Google BigQuery) as "fit for purpose" databases for analytics, operations, or data science. Data observability, governance, and security is applied from the ingestion point and ends in the exfiltration of data by various data consumer types such as business intelligence solutions.
The discovery and classification of data across multiple cloud data platforms and data sources is paramount. Once data is discovered and classified, you may introduce automation to apply governance and security policies based on security and compliance requirements specific to the business. Sensitive information is stored in a tokenized format and replaced with keyless and map-less reference tokens.
Step two: observe and control data access in real-time
Data consumption and analytics components of the architecture may observe data access in real time and provide intelligence for stopping both credentialed breaches and erroneous access to data from applications and services used by data consumers such as data scientists, analysts, and developers. Any anomalous behavior should be blocked, slowed down, or reported to the security operations center and initiate a workflow in a company's security orchestration, automation, and response (SOAR) services.
The architecture's data governance and security components must support different business goals such as data monetization, revenue generation, operational reporting, security, and compliance while promoting data access performance and "time to data." In other words, the best multi-cloud data governance and security architecture are invisible but very active when it needs to be.
2021 is the year
As we proceed into 2021, there is no sign of slowing down data generation, storage, and consumption. Think about IoT data generation, storage, and protection. This shift into the edge is going to be massive! An Andreessen Horowitz article calls for the “The End of Cloud Computing” , and with good reason. Peter Levine (Andreessen Horowitz) rightly says, “Data Drives the Change, Real World, Real Time”. With this massive change in structured, unstructured, and edge device data, Business leaders should positively incentivize organizations to establish multi-cloud data governance and security architectures now. 2021 is the year.
A properly designed and implemented multi-cloud data governance and security architecture will significantly reduce costs and introduce automation around data discovery, classification, and security. With this architecture, you will know how much data risk exists. Once you know the risks, you can Implement governance and security policy once and apply it everywhere. Marrying this with automation into your security operations center (SOC, SOAR) will be very important to ensure you can respond to real data security threats in near real-time.
So that’s why we’re here! We’d love to show you firsthand how ALTR’s Data Security as a Service can help your organization reduce costs and introduce automation around data discovery, classification, and security.
Try ALTR for free today.
Feb 11
0
min
Multi-Cloud Data Governance and Security
ALTR Blog
2020 saw an increase in cloud data platforms used for operation, analytic, and data science workloads at neck-breaking speed. In a rush to get to the fastest "time to data and insights," organizations are left with no option but to think about data governance and security last. The first phase of migration to the cloud involved applications and infrastructure. Now organizations are moving their data to the cloud as well. As organizations shift into high gear with data migration to the cloud, it's time to adopt a cloud data governance and security architecture to support this massive exodus to the major cloud data platforms (Snowflake, AWS, BigQuery, Azure) at scale.
Who’s accessing your data?
DalleMule & DavenPort, in their article What's your data strategy? , say that more than 70% of employees have access to data they should not, and 80% of analysts' time is spent simply discovering and preparing data. We see this firsthand when we work with small and large organizations alike, and this is a widespread pattern. Answering the question of who has access to what data for one cloud data platform is hard enough; imagine answering this question for a multi-cloud data platform environment.
Let's say you're using Snowflake and AWS Redshift. Your critical analytic and data science workloads are spread across both. How do we solve the challenge of answering who has access to what data consistently and across those two cloud data platforms? For companies that are heavily regulated, you must answer these questions while using a specific regulatory lens such as GDPR, HIPAA, CCPA, or PCI. These regulations further complicate things.
The tension between security and innovation
The struggle for balance between complying with regulations and promoting the fastest time to data means the experience for developers, analysts, and data scientists must be pleasurable and seamless. Data governance and security historically has introduced bumps on the road to velocity. DalleMule & DavenPort’s article presents a robust data strategy framework; they look at a data strategy as a "defensive" versus an "offensive" one. The defensive strategy focuses on regulatory compliance, governance, and security controls whereas the offensive approach focuses on business and revenue generation. The key, they say, is striking a balance; and we agree.
A shared data governance and security architecture
From a technical strategy perspective, in order to implement either a defensive or offensive strategy and achieve a continually shifting balance across multiple cloud data platforms, you need a shared data governance and security architecture. This architecture must transparently observe, detect, protect, and secure all sensitive data while increasing performance over time.
Snowflake famously separated compute and storage. Data governance, security, and data should follow suit. Making the shift from embedded role-based and identity security and access controls in the cloud data platform to an external intelligent multi-cloud data governance and security architecture allows for the optimum flexibility and ability to apply consistent governance and security policies across various data sources and elements. Organizations will define data governance and security policy once and have it instantly applied in all distributed cloud data platforms.
Avoiding governance, security, and access policy lock with one cloud data platform provider will be critically important to adopt a multi-cloud strategy. Think of it this way: suppose you implement data access and security controls for data in Redshift. In that case, you can't expect the same policy to automatically be implemented consistently in your Azure, Snowflake, or Google BigQuery data workloads. This type of automation would require an open and flexible multi-cloud data governance and security architecture. It's essential to avoid the unnecessary complexity and cost of having data governance and security silos across cloud data platform providers. Unnecessary complexity doesn't make technical or business sense. Not having multi-cloud data governance and security architecture will negatively impact data observability, governance, and security costs significantly. The more data you migrate to the cloud, the more your cost increases. Worldwide data is expected to increase by 61% to 175 zettabytes, most of which will be residing in cloud infrastructures. Think about what this will do to governance and security costs across multiple cloud data platform environments.
You can’t protect what you can’t see
This massive movement of data to the cloud will require an incredibly robust data discovery and classification capability. This capability will answer where the data is and what type of data it is. AI and ML will be critical to making sense of the discovery and classification meta-data across these data workloads. You can't protect what you can't see. The discovery of vulnerable assets like data has been the age-old challenge with implementing security controls over large enterprises. With observability, discovery, and governance, you will now be inundated with a tremendous amount of data about people's access and security controls in place to mitigate potential data security risks.
Check out part two of this series to learn how a properly designed and implemented multi-cloud data governance and security architecture can reduce costs and introduce automation around data discovery, classification, and security.
May 28
0
min
Managing Data Access for Your Cloud Data Warehouse
ALTR Blog
An earlier post talked about why cloud data warehouses (CDWs) match so well with data security as a service (DSaaS). This post goes into more detail about exactly how DSaaS improves data access governance for CDWs.
The Cloud Abstracts Much of the IT Stack, but Not Data Access
The greatest power of the cloud is that it eliminates the need to operate many parts of a traditional IT infrastructure, from servers to networking equipment. This of course brings a lot of benefits with it, including lower capital expenditure on hardware and software, much more efficient operations, and significant savings of time and money. CDWs in particular also enable better data visualizations and advanced analytics so your organization can make better business decisions. Those are big wins.
When it comes to data access, however, there are some vital functions that the cloud cannot get rid of. As discussed last time, the first function is user authentication, which can be handled for CDWs in a straightforward way by using a single sign-on (SSO) solution. This step answers a fundamental question — Are you who you say you are? — before allowing a user to access the CDW at all.
What happens once a user is inside the CDW is covered by the more complex functions of authorization and tracking. That’s where DSaaS comes in.
Authorization: What Is Each User Allowed to Do?
DSaaS operates via a special database driver that enables granular control and transparency for data access without creating any meaningful impact on the performance of the cloud data warehouse. That means you can get the most out of the scalability, speed, and ease of access provided by CDWs such as Snowflake or Amazon Redshift, while also achieving better privacy and compliance.
The key is that DSaaS works all the way down to the level of the individual query. When a user attempts a specific data request, the system is able to see it and place controls on it using a “zero trust” approach. This means that every authorization is treated independently, not only when a user begins a session of using the CDW, but also at each step along the way.
Without slowing down anyone’s work, this allows the system to answer a second fundamental question — Should this user be permitted to execute this query right now? — each time the user attempts a data transaction.
To use an everyday analogy, the process works something like an ATM machine. When you use an ATM, it’s not enough that you’re a bank customer with the correct PIN; that system will enforce very specific limitations on whatever you try to do. Before you can make a withdrawal or transfer, it checks that the money is available. Before you can attempt to clean out your account all at once, it enforces a single-transaction limit or daily limit to prevent you from doing so. And if you finish your transaction, walk away, and then walk back when you remember something else you meant to do, it makes you go through authentication again.
Although the technology operates differently, DSaaS does something very similar for a CDW, this time treating data like money. It enforces rules around questions such as these:
- Should this user be able access to this data, down to the specific column?
- What actions may this user perform on that data? (View it? Change it? Download it?)
- How much of the data should this user be able to access at once?
DSaaS makes it easy for administrators, compliance officers, and security personnel to establish rulesets that govern the flow of data, without requiring an organization’s developers to code and test the logic from the ground up.
By enforcing these rulesets in real time, DSaaS enables businesses to put up guardrails that prevent users from accessing specific types or amounts of data that they shouldn’t. The upshot is that your organization is able to enjoy all of the value that CDWs create through efficient data access, while mitigating the attendant security and compliance risks.
Tracking: Is Each User’s Activity Accurately Logged?
Beyond regulating data access in real time, DSaaS also creates an immutable record of transactions at the query level. This provides a level of context that goes beyond visibility (Can we see what is happening?) to true data observability (Are we able to draw conclusions from what is happening?). That level of insight is a boon for compliance and security officers.
Working at the application layer, DSaaS can see both sides of a data transaction, providing a rich history of the queries a user made, which data they touched, and which data they received back. Such detail shines a bright light into previously dark corners of data access to uncover previously hidden patterns.
Because the records of these data transactions, along with administrative actions, are kept in a tamper-resistant archive, any data that is changed will be detected and can be changed back if necessary. And because the archive itself records exactly which users and records were affected, it aids in creating an audit trail for complying with recent tough privacy regulations such as CCPA.
Learn More About Protecting Sensitive Data in Your Cloud Data Warehouse
Using a CDW increases the value of your data to your organization; DSaaS reduces the attendant risks. Using both together enables your organization to improve privacy and compliance while taking full advantage of the portability, scalability, and speed of the cloud.
In a recent Database Trends and Applications webinar, “Protecting Sensitive Data in Your Cloud Data Warehouse with Query-Level Governance,” I had a chance too really dig into why you need full transparency and control over data access, and how to optimize privacy and compliance for today's most popular cloud data platforms.
Whether you already run a CDW or are considering it, check out this webinar onDemand and find out how DSaaS can help you make the most of your investment.
Mar 1
0
min
Lessons From IAM: Governing Data in the Cloud
ALTR Blog
Identity and Access to Data
Identity and access management (IAM) is the set of technology and processes that grant access to the right company assets, to the right people, at the right time, and for the right reason. In my twenty years of IAM experience, I have seen the full evolution from web single sign on in the early 2000s, to identity provisioning in 2004, identity governance and administration in 2005, and finally identity and access intelligence and automation driven by “identity fabrics” in 2019.
It is time for IAM concepts to be applied to the data cloud. At ALTR, we see a large trend of increased complexity, maintenance, and operating costs for ensuring people have access to the right data, for the right reasons, and at the right time. Applying IAM concepts to data can simplify this process and reduce your administrative burden.
Treat Data Access Controls Like IAM
Just as IAM platforms centrally manage identities and their access to applications, so should a central data governance and security system manage access to sensitive data. Sounds neat, right? Well, it's a bit more complicated than that. Just as Identity is moving towards a multi-cloud model, so is data. This means that data is distributed across multiple data clouds like Snowflake, AWS (Amazon Web Services) Redshift, and Google BiqQuery. This shift into a multi-data cloud architecture requires a platform that has the following characteristics:
- Simple – Simple to use by line of business line users. You do not shouldn’t necessarily need to be an experienced cybersecurity professional or data security engineer to set up, configure, and get value from the platform.
- Distributed (Snowflake, AWS, Google) – The platform must support ease of connectivity and integration to the major data cloud platforms.
- Controlled from a single platform and pane of glass – Centralized management but distributed control is key to enforce common governance policies across data cloud platforms.
- Intelligence is built in – Intelligence-driven data security should deliver insights which drive policy and automation.
- Performance as king – Maintaining an adequate level of data access performance while observing data access and protecting against a variety of threats such as a credentialed breach.
- Delivered as a service – The centralized but distributed data governance and security system must be delivered with zero code and zero on-premises footprint.
It is All About the Roles, Tags, and Grants
A cloud native data governance and security system uses a cloud service provider’s (AWS, GCP, Azure) IAM roles to grant privileges on data warehouses, schemas, and table rows and columns via policy tags. These grants based on IAM roles allow for proper user or application operations on sensitive data.
A data security strategy that combines a multi-level (warehouse, schema, table, rows, columns) approach in an easy to implement, scale, and manage strategy is the “north star” of any sensitive data protection program. Answering key questions on establishing this multi-level model and augmenting it with secure views and functions are key to ensuring a solid strategy against massive data exposure and exfiltration.
Identity Is No Good Without Context
Having a strategy to map your Identity model to your sensitive data is great, but now you need to think about context. This approach is the “dynamic” nature of responding to potential threats. To gain context, you need a broader view of identity, data sources, security controls, and what governance rules apply.
By connecting identity, governance, and security together, you can gain much more granular views into and control over how data is used.
End to End Data Protection Use Case
Let us look at an end-to-end use case. In this sample use case, we set up a data catalog service to discover data in Snowflake, classify sensitive data, and notify ALTR of sensitive data for consumption governance and protection. Here are the five simple steps to take for this use case.
- Discover data from the Snowflake warehouse, schema, and tables. Automatically look for and classify sensitive data. This data could be any PII (Personal Identifiable Information), PHI (Protected Health Information), or data deemed sensitive by regulatory requirements such as GDPR (General Data Protection Regulation) or CCPA (California Consumer Protection Act).
- Leverage In ALTR for , gaining data consumption intelligence based on the discovered data and consumption patterns from users and applications. With this intelligence, we will understand who is accessing sensitive data and why.
- After identifying consumption patterns, we can use ALTR to govern access to sensitive data. We then place limits on data consumption, protecting data against credentialed threats.
- The last step is to further protect sensitive data by replacing it with mapless and keyless tokens using ALTR. This approach allows for the utmost security by giving you a way to tokenize data without using complex key management systems and requirements that make cryptographic alternatives hard to maintain and scale.
This end-to-end use case can be scaled to multiple data cloud platforms to govern and protect sensitive data distributed across cloud data platforms. ALTR provides the central data governance and security control point to manage policy once and affect data across your organization, significantly reducing complexity and cost for data protection.
To learn more about how ALTR can help your business, check out the latest demo from ALTR CTO, James Beecham, here.
Oct 13
0
min
Is Your Customer Data Privacy Program Naughty or Nice?
ALTR Blog
After another up and down year of COVID, I’m looking forward to some holiday joy, and to some fun holiday shopping. Like many others since the start of the pandemic I’ll be doing a lot of that buying from home, online. And some of the hottest items on the list – from smart watches to picture frames – come with internet connectivity built in. All of this has me wondering about the data that will be collected about me or my family in the upcoming holiday season.
Many of the articles I found when searching for “online holiday shopping data privacy” put the responsibility on consumers, with reems of advice on what we should do to protect our data. But that’s actually harder for consumers than ever. Although a handful of state-level privacy regulations were passed this year, the lack of a consistent state by state consumer data privacy laws, or a US federal law like GDPR, makes it very challenging for consumers to understand what they’re agreeing to or what they might be giving up.
This means online retailers must step up. The flip side to the benefits of gathering data is the responsibility to keep it safe. Is your data privacy program ready for the holiday season? Is it naughty or nice?
Online holiday shopping is bigger than ever (and so is customer data collection)
COVID-19 threw a hitch into a lot of normal activities last year – from working from home to learning from home to watching movies from home. Sensing a trend? Holiday shopping was no exception. Before last year’s shopping season, a Deliotte survey showed 64% of respondents planned to spend their holiday shopping budgets online. For the first time, Cyber Monday surpassed Black Friday with 59% of respondents planning to shop on Cyber Monday versus 48% on Black Friday.
The trend continues this year with two-thirds (66%) of respondents to a leading customer data platform survey saying they buy online now more than they did before the pandemic. For the holidays this year, nearly half plan to combine in-store and online shopping, and more than one-third plan to use e-commerce exclusively.
This increase in online shopping has led to an increase in online shopping data – creating both a windfall and a responsibility for retailers.
Concern over customer data privacy hasn’t magically disappeared
COVID has convinced some consumers to overcome their distrust of online shopping – the Holiday Shopping ID Theft survey showed that 73% of those who avoided online shopping in the past say they have become more comfortable shopping online since the start of the pandemic. But 66% of surveyed still expressed concern about their financial or personal information being compromised due to a data breach while shopping this holiday season.
This concern is no surprise – even though most consumers are unaware of all the data gathered about them while online shopping, even just the leak of name, a credit card number, and address could lead to issues. On top of that, retailers collect info about what customers are buying, sites visited, products considered, browsing patterns, and more. Consumers say they value privacy over customized marketing, but as customized marketing continues to be effective for retailers, there are no signs of this slowing.
Ensure your customer data privacy program makes the “nice” list
It’s practically impossible for consumers to have a clear idea of all the data companies are gathering on them because it’s primarily behind the scenes, with a cookie notification popping up here and there. And let’s be honest, we all just click whatever it takes to make the pop up go away and get on with our shopping – just like we do with terms and conditions! Companies that value their customer relationships should take these steps to keep customer data as secure as this year’s secret Santa list:
- Know the data you’re gathering and storing: Responsible retailers need to find and classify all customer data, discover where sensitive data like credit card and social security numbers are stored, and be ready to prove to regulators they have that knowledge.
- See, understand, and document who is accessing that data in real time: Knowing about the data is just the first step. If you can’t see who is accessing it, how can you be sure it’s being used as it should be? Make sure you have a tool (like your own personal Elf on the Shelf) that reports back to you on data access and usage by user. This helps you understand what normal data usage looks like and quickly identify when users step out of line. Keep a tamper-proof record of this access to share with regulators as needed.
- Control access and mask sensitive data based on data governance policies: Implement a tool to control access and dynamically mask sensitive data so that only the allowed data goes to approved users at the right time, in line with the policies in place to comply with privacy regulations.
- Use risk-based thresholds to stop unapproved access: Once you have a clear view of who’s using what data, when and how much is needed to execute specific tasks (like emailing a discount for a hot holiday item), set up limits and thresholds to ensure sensitive data doesn’t get into the wrong hands. This confirms that only the data needed to carry out business objectives is shared and limits the potential risk of credentialed access data theft.
The hottest gift this holiday season? Customer data privacy
With so much being thrown at consumers over the last two years, the best gift retailers can give their customers this holiday season is to take one more worry off their plates: data privacy. Retailers need to ensure sensitive and private customer data is controlled and protected, keeping it safe, so consumers can just focus on finding the latest, coolest gadgets and spreading holiday cheer in a year when we need that more than ever.
Jun 29
0
min
Sensitive Data Classification: The First Step to Complete Data Governance with ALTR
ALTR Blog
When you analyze a company’s journey as it becomes a more data-driven organization, you start to see some pretty clear patterns. Invariably, we see customers walking the path below regardless of industry vertical or company size:
Understanding sensitive data
- Discover and classify sensitive data
- Understand who is accessing sensitive data (and when, how much, and how)
Governing sensitive data
- Add controls governing access to sensitive data
- Add controls to ensure data privacy and regulatory compliance
Protecting sensitive data
- Apply advanced controls to limit data risk and integrate security
- Tokenize critically sensitive data to protect against direct access threats
Everyone has these same needs around their sensitive data—and a heck of a lot more—but these are what we keep seeing as core requirements. The very first item on this path is sensitive data classification. If you think about it, you can’t really get started until you understand what and where your sensitive data is. Once you do that, applying governance and security policies is a matter of doing the work (for any data engineers reading, yes, a lot of work. Contact us!)
Learn about what is considered sensitive data and what kind of security it requires.
Heck, we need sensitive data classification too. It allows us to better understand and report on data consumption, more easily apply access governance controls, detect sensitive data in new data sources, and help our customers be confident that their data is both private and secure.
When it comes to sensitive data classification, there are products out there doing a great job at that already. To add support in our own platform, we didn’t need to reinvent the wheel, we just had to add the classification “wheel” to our product’s “car”. Our customers can simply choose which classification provider they use, and ALTR’s integrations will take care of the rest, improving reporting on data access and making it even easier to implement governance controls.
For companies without a current classification provider, we have out-of-the-box integrations for Google DLP and Snowflake's native classification so everyone who uses ALTR can start on the path to full data access governance and security easily.
At ALTR, we want remove the burdens of data classification as you grow, add more data, users, and platforms into the mix. We do as much of the heavy lifting ourselves as possible, delivering new and unique features that layer advanced data security on top of governance controls (for a primer on how governance and security are intertwined, check out this blog post. But we also believe this involves connecting the broader data ecosystem together so the tools and platforms you use share a unified understanding of your data. We’re excited that our support for data classification is an extension of this belief.
Learn more about ALTR's sensitive data classification.
See how doing sensitive data classification yourself in Snowflake compares to doing it with ALTR.
If you’d like to see sensitive data classification in action, request a demo!
Nov 12
0
min
The Fastest Way to Improve Your Online Security
ALTR Blog
What’s going on?
The 2020 Verizon Breach Report shows that breaches are up nearly 100% from last year, and threats are evolving at an alarming rate with more and more people working from home since March of 2020. This marks the fourth year in a row that stolen credentials are the number one source of breaches and hacking. (For our purposes here, hackers can be defined, at a very high level, as one of three things: those utilizing stolen or brute-forced credentials; those exploiting vulnerabilities; attackers using backdoors and command and control [C2] functionality.) Four years in a row is certainly long enough to call it an established trend, so let’s talk about why this is happening.
To start, we’ll explore the vectors where attacks are happening less. Websites are getting smarter about SSL/TLS, so plain text interception attacks are on the decline. Browsers like Google Chrome and Firefox are getting more aggressive about protecting against man-in-the-middle and eavesdropping attacks, leading to a decrease in IP spoofing, SSL hijacking, and the like. While it’s great news that these types of attacks are trending downward, the consequence is that now the only way in is with usernames and passwords. That’s great news for attackers since most people are lazy when it comes to their passwords... but bad news for users.
Credential Stuffing: when hackers exploit users that reuse passwords across different services
Do you use one key for your house, storage unit, office, safe, bike lock, and car? Probably not. It should really be no different when it comes to your different online services; if you use one password or a variation of one password for your Netflix, email, bank account, E*Trade, etc., then guess what? If someone steals your password, they’re going to have a field day with all that data. Maybe you’re not the type of person who uses a similar password for everything... but the average person certainly does. A recent blog published by eBanking platform Q2 shows that most people have more than 200 online accounts and only 8-10 unique passwords. So if I guess or steal one of your passwords, that means I’ll have access to at least 20 of your accounts (on average, of course).
Password managers for the win
Obviously it would be a huge pain to have to create a complex, really-hard-to-guess, unique password for each of your ~200 accounts. Wouldn’t it be great if there was a tool that could do that for you? Aha! There is. It’s called a password manager, and you should 100% use one. You can’t really go wrong when picking one: there’s LastPass, OneLogin, KeePass, Dashlane, and plenty more. Even your web browsers like Chrome, Firefox, and Safari have native password management capabilities (though we’d warn against those as most of them store your passwords on your computer in an unencrypted form).
Either way, any password manager is better than using the same password for all accounts. Use one for your personal accounts; use one for your work accounts; use one for everything! Just use it, please.
Why listen to me?
Even as a security expert, I didn’t realize how important a password manager was until a few years ago. I used to have three passwords: one without numbers, one with numbers, and one with numbers and symbols. The end. But then I got smarter, and I started using LastPass – I’m safer; my company is safer; my family is safer; and everything is just oh-so-much better (and easier). If you don’t believe me, maybe you'll listen to Forrester Analyst, Brian Kime, who claims that a password manager “could save your marriage”... just saying.
It’s not hard to start using either, and it doesn't have to be a whole big event. Download the password manager and as you go about your normal day logging into sites or services, just spend 30 seconds max changing your password for each site you visit. That’s all there is to it!
And if you’re wondering, “what if someone steals the password for my password manager?!” Well, I’d recommend using a device where you can use your fingerprint or face scan to login; in lieu of that, a password manager will also generate a random, nearly impossible-to-guess password for you. So just do it.
The cybersecurity journey is never over since bad actors are constantly evolving along with new technologies. Password managers are just the first step to protecting your sensitive data. But as we mentioned at the beginning, stolen passwords are still on the rise. So, along with password managers, organizations need a strategy to ensure their data is safe if/when credentials are compromised. That’s where ALTR can help.
Nov 4
0
min
Human Threats to Your Data
ALTR Blog
Whether at work or for personal purposes, it seems like every website from online stores to news outlets requires a login these days. That’s a lot of passwords for you to manage, and it’s only human to take a shortcut or two. But even when you follow every password best practice, hackers have a way of getting around your defenses. According to a recent Verizon report, 81% of data breaches involve weak or stolen passwords. With employees who have passwords for countless applications, how can organizations possibly keep their data safe day in and day out? You need to understand the threat before you can find the solution that best fits your situation. In part one of this series we will explore the threats around guessed and stolen credentials.
People Are Predictable
Humans are creatures of habit, and hackers are very aware of it. By using brute force or dictionary attacks – or simply by peering over someone’s shoulder – hackers essentially “guess” user passwords based on their knowledge of password habits and open source intelligence. This is especially true for weak passwords (“123456,” “111111” and “password,” to name a few) that continue to be frequently used across multiple applications and platforms. To quote a prophetic 1970s Jackson 5 lyric, “abc, it’s as easy as 123.”
Lack of Diversity
Passwords are like stocks; you should never put all of your faith in just one. No matter how strong and reliable a password seems, it only takes one high-profile data breach (Target, Capital One, Equifax, etc.) to land a clever arrangement of numbers, letters and punctuation marks on some international hacker database. In a survey of 1000 individuals in the US, more than half used the same password for multiple online logins. When employees use the same password for everything, including your website or app, it’s like they’re handing cybercriminals a key to your front door.
Keeping Compromised Passwords in Circulation
Even when someone gets that dreaded notification that one of their (hopefully many) passwords has been compromised, they’ll often “wait it out” or change a single character instead of coming up with something completely different. Cybersecurity expert Troy Hunt notes that once a password or passphrase is exposed by a data breach, it is no longer secure. Attackers hoard the information exposed in these breaches and engage in credential stuffing, testing the combinations on unrelated sites. It’s only a matter of time before they discover your employee couldn’t be bothered to significantly change their credentials.
Plenty of Phish in the Sea
Cybercriminals are also adept at manipulating credentialed users into giving away passwords through phishing and spear-phishing campaigns. Take the “rescheduled meeting” scam popping up in thousands of corporate inboxes earlier this year, where employees were duped into providing hackers with their usernames and passwords. One study shows that even after implementing security awareness and phishing identification training programs in a workplace, users click on phishing emails almost 25% of the time. Encouraging your employees to keep a close eye on their inboxes could stop you from becoming some hacker’s greatest catch.
Solution: Think Outside of the Login Box
So how should organizations prevent a cybercriminal from getting to their sensitive data through employees’ passwords? While all of the steps above are helpful to preventing stolen passwords, the bottom line is you need to still assume someone will get through. You need to have technology and policy in place to protect your data even when a cybercriminal gets access to credentials. ALTR’s Data Security platform allows you to mask certain data so that the employee only has access to the fewest fields that they need in order to do their job. This means the cybercriminal only has access to minimal fields if/when they get into the application. Secondly, ALTR allows you to set thresholds for how much data an employee can access. When the cybercriminal or disgruntled employee tries to smash and grab all the data, they will only get away with a fragment of the data they were trying to get. These innovative security measures make compromised credentials a concern of the past.
To get more insight into how to protect your data with ALTR, download our free white paper, How to Address the Top 5 Human Threats to Your Data.
Jun 18
0
min
Bringing Human Connection to Nursing Homes During COVID-19
ALTR Blog
Even in the best of times, it can be a lonely experience living away from family in a retirement home or extended-living facility. But during the current coronavirus epidemic, residents of these homes are more isolated than usual, and often completely shut in. In this setting, something as simple as having a smartphone for video calls with family members can make a real difference in residents’ quality of life.
Working in tech, we at ALTR often use the latest models of smartphones for work and personal tasks. When we recently found ourselves with a surplus of slightly older phones that still had plenty of life in them, we looked for a way to repurpose the phones in the Austin area, where ALTR is headquartered. The opportunity we found exceeded our expectations.
Working with a local contact, we first determined the need for phones in local nursing homes. Then, ALTR’s technical crew made sure the phones were securely erased of any sensitive data and matched with the appropriate plugs and cables. Then we delivered them to the homes that needed them most.
Because each home typically has just one shared house phone without video, having a good smartphone or two on hand is a big plus for enabling residents to see their loved ones’ faces as they talk with them. Over the past couple of weeks, our team has distributed 20 phones to more than a dozen nursing and extended-living homes in Austin and nearby towns.
The staff at one assisted-living facility reported that they have now explained to their clients how family members of residents can take advantage of the new opportunity to connect. They assured us that the phone “is very much appreciated and definitely will be used.”
We know that this is just a small effort in these trying times, but we were happy we could take these steps to meet a real need for people in our community. And we’ll keep looking for new ways to help.
If you’d like to do the same, search for organizations in your area that are collecting donations in response to COVID-19. Here in Austin, for instance, the Ascension Texas healthcare group has guidelines for donating used iPads, along with new medical supplies such as personal protective equipment (PPE). Meanwhile, the national non-profit #CareNotCOVIDinitiative can help you find local facilities for giving nursing homes new electronic devices, books, games, medical supplies, and more. We hope you’ll consider pitching in!
Get the latest from ALTR
Subscribe below to stay up to date with our team, upcoming events, new feature releases, and more.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.