ALTR Blog

The latest trends and best practices related to data governance, protection, and privacy.
BLOG SPOTLIGHT

Format-Preserving Encryption: A Deep Dive into FF3-1 Encryption Algorithm

ALTR’s Format-Preserving Encryption, powered by FF3-1 algorithm and ALTR’s trusted policies, offers a comprehensive solution for securing sensitive data.
Format-Preserving Encryption: A Deep Dive into FF3-1 Encryption Algorithm

Browse All

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

After another up and down year of COVID, I’m looking forward to some holiday joy, and to some fun holiday shopping. Like many others since the start of the pandemic I’ll be doing a lot of that buying from home, online. And some of the hottest items on the list – from smart watches to picture frames – come with internet connectivity built in. All of this has me wondering about the data that will be collected about me or my family in the upcoming holiday season.  

Many of the articles I found when searching for “online holiday shopping data privacy” put the responsibility on consumers, with reems of advice on what we should do to protect our data. But that’s actually harder for consumers than ever. Although a handful of state-level privacy regulations were passed this year, the lack of a consistent state by state consumer data privacy laws, or a US federal law like GDPR, makes it very challenging for consumers to understand what they’re agreeing to or what they might be giving up.  

This means online retailers must step up. The flip side to the benefits of gathering data is the responsibility to keep it safe. Is your data privacy program ready for the holiday season? Is it naughty or nice?  

Online holiday shopping is bigger than ever (and so is customer data collection)

COVID-19 threw a hitch into a lot of normal activities last year – from working from home to learning from home to watching movies from home. Sensing a trend? Holiday shopping was no exception. Before last year’s shopping season, a Deliotte survey showed 64% of respondents planned to spend their holiday shopping budgets online. For the first time, Cyber Monday surpassed Black Friday with 59% of respondents planning to shop on Cyber Monday versus 48% on Black Friday.  

customer data

The trend continues this year with two-thirds (66%) of respondents to a leading customer data platform survey saying they buy online now more than they did before the pandemic. For the holidays this year, nearly half plan to combine in-store and online shopping, and more than one-third plan to use e-commerce exclusively.  

This increase in online shopping has led to an increase in online shopping data – creating both a windfall and a responsibility for retailers.  

Concern over customer data privacy hasn’t magically disappeared

COVID has convinced some consumers to overcome their distrust of online shopping – the Holiday Shopping ID Theft survey showed that 73% of those who avoided online shopping in the past say they have become more comfortable shopping online since the start of the pandemic. But 66% of surveyed still expressed concern about their financial or personal information being compromised due to a data breach while shopping this holiday season.  

customer data

This concern is no surprise – even though most consumers are unaware of all the data gathered about them while online shopping, even just the leak of name, a credit card number, and address could lead to issues. On top of that, retailers collect info about what customers are buying, sites visited, products considered, browsing patterns, and more. Consumers say they value privacy over customized marketing, but as customized marketing continues to be effective for retailers, there are no signs of this slowing.  

Ensure your customer data privacy program makes the “nice” list

It’s practically impossible for consumers to have a clear idea of all the data companies are gathering on them because it’s primarily behind the scenes, with a cookie notification popping up here and there. And let’s be honest, we all just click whatever it takes to make the pop up go away and get on with our shopping – just like we do with terms and conditions! Companies that value their customer relationships should take these steps to keep customer data as secure as this year’s secret Santa list:  

  1. Know the data you’re gathering and storing: Responsible retailers need to find and classify all customer data, discover where sensitive data like credit card and social security numbers are stored, and be ready to prove to regulators they have that knowledge.  
  1. See, understand, and document who is accessing that data in real time: Knowing about the data is just the first step. If you can’t see who is accessing it, how can you be sure it’s being used as it should be? Make sure you have a tool (like your own personal Elf on the Shelf) that reports back to you on data access and usage by user. This helps you understand what normal data usage looks like and quickly identify when users step out of line. Keep a tamper-proof record of this access to share with regulators as needed.  
  1. Control access and mask sensitive data based on data governance policies: Implement a tool to control access and dynamically mask sensitive data so that only the allowed data goes to approved users at the right time, in line with the policies in place to comply with privacy regulations.  
  1. Use risk-based thresholds to stop unapproved access: Once you have a clear view of who’s using what data, when and how much is needed to execute specific tasks (like emailing a discount for a hot holiday item), set up limits and thresholds to ensure sensitive data doesn’t get into the wrong hands. This confirms that only the data needed to carry out business objectives is shared and limits the potential risk of credentialed access data theft.  

The hottest gift this holiday season? Customer data privacy

With so much being thrown at consumers over the last two years, the best gift retailers can give their customers this holiday season is to take one more worry off their plates: data privacy. Retailers need to ensure sensitive and private customer data is controlled and protected, keeping it safe, so consumers can just focus on finding the latest, coolest gadgets and spreading holiday cheer in a year when we need that more than ever.  

customer data

When you analyze a company’s journey as it becomes a more data-driven organization, you start to see some pretty clear patterns. Invariably, we see customers walking the path below regardless of industry vertical or company size:

Understanding sensitive data

  • Discover and classify sensitive data
  • Understand who is accessing sensitive data (and when, how much, and how)

Governing sensitive data

  • Add controls governing access to sensitive data
  • Add controls to ensure data privacy and regulatory compliance

Protecting sensitive data

  • Apply advanced controls to limit data risk and integrate security
  • Tokenize critically sensitive data to protect against direct access threats

Everyone has these same needs around their sensitive data—and a heck of a lot more—but these are what we keep seeing as core requirements. The very first item on this path is sensitive data classification. If you think about it, you can’t really get started until you understand what and where your sensitive data is. Once you do that, applying governance and security policies is a matter of doing the work (for any data engineers reading, yes, a lot of work. Contact us!)

Learn about what is considered sensitive data and what kind of security it requires.

Heck, we need sensitive data classification too. It allows us to better understand and report on data consumption, more easily apply access governance controls, detect sensitive data in new data sources, and help our customers be confident that their data is both private and secure.

When it comes to sensitive data classification, there are products out there doing a great job at that already. To add support in our own platform, we didn’t need to reinvent the wheel, we just had to add the classification “wheel” to our product’s “car”. Our customers can simply choose which classification provider they use, and ALTR’s integrations will take care of the rest, improving reporting on data access and making it even easier to implement governance controls.

For companies without a current classification provider, we have out-of-the-box integrations for Google DLP and Snowflake's native classification so everyone who uses ALTR can start on the path to full data access governance and security easily.

sensitive data classification

At ALTR, we want remove the burdens of data classification as you grow, add more data, users, and platforms into the mix. We do as much of the heavy lifting ourselves as possible, delivering new and unique features that layer advanced data security on top of governance controls (for a primer on how governance and security are intertwined, check out this blog post. But we also believe this involves connecting the broader data ecosystem together so the tools and platforms you use share a unified understanding of your data. We’re excited that our support for data classification is an extension of this belief.

Learn more about ALTR's sensitive data classification.

See how doing sensitive data classification yourself in Snowflake compares to doing it with ALTR.

If you’d like to see sensitive data classification in action, request a demo!

What’s going on?

The 2020 Verizon Breach Report shows that breaches are up nearly 100% from last year, and threats are evolving at an alarming rate with more and more people working from home since March of 2020. This marks the fourth year in a row that stolen credentials are the number one source of breaches and hacking. (For our purposes here, hackers can be defined, at a very high level, as one of three things: those utilizing stolen or brute-forced credentials; those exploiting vulnerabilities; attackers using backdoors and command and control [C2] functionality.) Four years in a row is certainly long enough to call it an established trend, so let’s talk about why this is happening.

To start, we’ll explore the vectors where attacks are happening less. Websites are getting smarter about SSL/TLS, so plain text interception attacks are on the decline. Browsers like Google Chrome and Firefox are getting more aggressive about protecting against man-in-the-middle and eavesdropping attacks, leading to a decrease in IP spoofing, SSL hijacking, and the like. While it’s great news that these types of attacks are trending downward, the consequence is that now the only way in is with usernames and passwords. That’s great news for attackers since most people are lazy when it comes to their passwords... but bad news for users.

Credential Stuffing: when hackers exploit users that reuse passwords across different services

Do you use one key for your house, storage unit, office, safe, bike lock, and car? Probably not. It should really be no different when it comes to your different online services; if you use one password or a variation of one password for your Netflix, email, bank account, E*Trade, etc., then guess what? If someone steals your password, they’re going to have a field day with all that data. Maybe you’re not the type of person who uses a similar password for everything... but the average person certainly does. A recent blog published by eBanking platform Q2 shows that most people have more than 200 online accounts and only 8-10 unique passwords. So if I guess or steal one of your passwords, that means I’ll have access to at least 20 of your accounts (on average, of course).  

Password managers for the win

Obviously it would be a huge pain to have to create a complex, really-hard-to-guess, unique password for each of your ~200 accounts. Wouldn’t it be great if there was a tool that could do that for you? Aha! There is. It’s called a password manager, and you should 100% use one. You can’t really go wrong when picking one: there’s LastPass, OneLogin, KeePass, Dashlane, and plenty more. Even your web browsers like Chrome, Firefox, and Safari have native password management capabilities (though we’d warn against those as most of them store your passwords on your computer in an unencrypted form).

Either way, any password manager is better than using the same password for all accounts. Use one for your personal accounts; use one for your work accounts; use one for everything! Just use it, please.

Why listen to me?

Even as a security expert, I didn’t realize how important a password manager was until a few years ago. I used to have three passwords: one without numbers, one with numbers, and one with numbers and symbols. The end. But then I got smarter, and I started using LastPass – I’m safer; my company is safer; my family is safer; and everything is just oh-so-much better (and easier). If you don’t believe me, maybe you'll listen to Forrester Analyst, Brian Kime, who claims that a password manager “could save your marriage”... just saying.

It’s not hard to start using either, and it doesn't have to be a whole big event. Download the password manager and as you go about your normal day logging into sites or services, just spend 30 seconds max changing your password for each site you visit. That’s all there is to it!

And if you’re wondering, “what if someone steals the password for my password manager?!” Well, I’d recommend using a device where you can use your fingerprint or face scan to login; in lieu of that, a password manager will also generate a random, nearly impossible-to-guess password for you. So just do it.

The cybersecurity journey is never over since bad actors are constantly evolving along with new technologies. Password managers are just the first step to protecting your sensitive data. But as we mentioned at the beginning, stolen passwords are still on the rise. So, along with password managers, organizations need a strategy to ensure their data is safe if/when credentials are compromised. That’s where ALTR can help.

To learn more, get a demo!

Whether at work or for personal purposes, it seems like every website from online stores to news outlets requires a login these days. That’s a lot of passwords for you to manage, and it’s only human to take a shortcut or two. But even when you follow every password best practice, hackers have a way of getting around your defenses. According to a recent Verizon report, 81% of data breaches involve weak or stolen passwords. With employees who have passwords for countless applications, how can organizations possibly keep their data safe day in and day out? You need to understand the threat before you can find the solution that best fits your situation. In part one of this series we will explore the threats around guessed and stolen credentials.

People Are Predictable

Humans are creatures of habit, and hackers are very aware of it. By using brute force or dictionary attacks – or simply by peering over someone’s shoulder – hackers essentially “guess” user passwords based on their knowledge of password habits and open source intelligence. This is especially true for weak passwords (“123456,” “111111” and “password,” to name a few) that continue to be frequently used across multiple applications and platforms. To quote a prophetic 1970s Jackson 5 lyric, “abc, it’s as easy as 123.”

Lack of Diversity

Passwords are like stocks; you should never put all of your faith in just one. No matter how strong and reliable a password seems, it only takes one high-profile data breach (Target, Capital One, Equifax, etc.) to land a clever arrangement of numbers, letters and punctuation marks on some international hacker database. In a survey of 1000 individuals in the US, more than half used the same password for multiple online logins. When employees use the same password for everything, including your website or app, it’s like they’re handing cybercriminals a key to your front door.

Keeping Compromised Passwords in Circulation

Even when someone gets that dreaded notification that one of their (hopefully many) passwords has been compromised, they’ll often “wait it out” or change a single character instead of coming up with something completely different. Cybersecurity expert Troy Hunt notes that once a password or passphrase is exposed by a data breach, it is no longer secure. Attackers hoard the information exposed in these breaches and engage in credential stuffing, testing the combinations on unrelated sites. It’s only a matter of time before they discover your employee couldn’t be bothered to significantly change their credentials.

Plenty of Phish in the Sea

Cybercriminals are also adept at manipulating credentialed users into giving away passwords through phishing and spear-phishing campaigns. Take the “rescheduled meeting” scam popping up in thousands of corporate inboxes earlier this year, where employees were duped into providing hackers with their usernames and passwords. One study shows that even after implementing security awareness and phishing identification training programs in a workplace, users click on phishing emails almost 25% of the time. Encouraging your employees to keep a close eye on their inboxes could stop you from becoming some hacker’s greatest catch.

Solution: Think Outside of the Login Box

So how should organizations prevent a cybercriminal from getting to their sensitive data through employees’ passwords? While all of the steps above are helpful to preventing stolen passwords, the bottom line is you need to still assume someone will get through. You need to have technology and policy in place to protect your data even when a cybercriminal gets access to credentials. ALTR’s Data Security platform allows you to mask certain data so that the employee only has access to the fewest fields that they need in order to do their job. This means the cybercriminal only has access to minimal fields if/when they get into the application. Secondly, ALTR allows you to set thresholds for how much data an employee can access. When the cybercriminal or disgruntled employee tries to smash and grab all the data, they will only get away with a fragment of the data they were trying to get. These innovative security measures make compromised credentials a concern of the past.

To get more insight into how to protect your data with ALTR, download our free white paper, How to Address the Top 5 Human Threats to Your Data.

Even in the best of times, it can be a lonely experience living away from family in a retirement home or extended-living facility. But during the current coronavirus epidemic, residents of these homes are more isolated than usual, and often completely shut in. In this setting, something as simple as having a smartphone for video calls with family members can make a real difference in residents’ quality of life.

Working in tech, we at ALTR often use the latest models of smartphones for work and personal tasks. When we recently found ourselves with a surplus of slightly older phones that still had plenty of life in them, we looked for a way to repurpose the phones in the Austin area, where ALTR is headquartered. The opportunity we found exceeded our expectations.

Working with a local contact, we first determined the need for phones in local nursing homes. Then, ALTR’s technical crew made sure the phones were securely erased of any sensitive data and matched with the appropriate plugs and cables. Then we delivered them to the homes that needed them most.

Because each home typically has just one shared house phone without video, having a good smartphone or two on hand is a big plus for enabling residents to see their loved ones’ faces as they talk with them. Over the past couple of weeks, our team has distributed 20 phones to more than a dozen nursing and extended-living homes in Austin and nearby towns.

The staff at one assisted-living facility reported that they have now explained to their clients how family members of residents can take advantage of the new opportunity to connect. They assured us that the phone “is very much appreciated and definitely will be used.”

We know that this is just a small effort in these trying times, but we were happy we could take these steps to meet a real need for people in our community. And we’ll keep looking for new ways to help. 

If you’d like to do the same, search for organizations in your area that are collecting donations in response to COVID-19. Here in Austin, for instance, the Ascension Texas healthcare group has guidelines for donating used iPads, along with new medical supplies such as personal protective equipment (PPE). Meanwhile, the national non-profit #CareNotCOVIDinitiative can help you find local facilities for giving nursing homes new electronic devices, books, games, medical supplies, and more. We hope you’ll consider pitching in!

Imagine this scenario: you’re a CISO for a multi-billion-dollar retailer or manufacturer. Data has become critical to how your business is run. So much so that you have one thousand-plus users accessing data from Snowflake, and you have a data analysis team of 40. Early one morning an analyst appears to run a query that would return more than 7 million rows of PII data.  

What happens next? Does he get the data, or do you stop him?  

It all depends on the choices you’ve made up to that point…  

Plot your data observability and security path

Before you get to this juncture, there are a few critical steps you can take to ensure you have the right information and options available to you.  

1. Everything starts with Observability – ALTR’s integration with Snowflake provides complete observability over any sensitive data you tell ALTR to watch. This ensures that every request for, and usage of, this data is recorded and available to you as soon as it’s added to ALTR.  

2. Next comes data consumption patterns - The next step is patterning data consumption so you can begin to understand what normal consumption looks like. The easiest way to do this is by setting up a scaled set of “alert and log” signals in ALTR, which can be streamed to your Snowflake Security Data Lake. This will allow you to group access records by tiered amounts and give you additional context into which roles and users access what types of data and in what quantities. A sample tier of Alerts could include logging any users and/or roles which request:

  • 100 values (alert & log)
  • 1,000 values (alert & log)
  • 10,000 values (alert & log)
  • 100,000 values (alert & log)
  • 1,000,000 values (alert & log)

3. Seeing what "normal" looks like - After just a week, data usage alerts in your SIEM or in your Snowflake Security Data Lake can easily be visualized into a curve that represents your normal data consumption pattern. For example, the details below demonstrate that 99.5% of data consumption is made through requests for 10,000 or fewer records, while 81.4% occurred through requests for 1,000 records or less.

  • (368) 100 value alerts = 28.5%
  • (685) 1,000 value alerts = 53%
  • (234) 10,000 value alerts =18.1%
  • (6) 100,000 value alerts = .5%
  • (0) 1,000,000 alerts = 0%

4. Reducing the risk - Understanding how various users and roles across the business consume data to perform their functions allows you to optimize your access, alerting and blocking polices based on normal and necessary usage. You can set consumption polices just outside of what your alert patterns show you represents normal consumption and, over time, you can refine these consumption limits on an ongoing basis to continually the reduce risk posed by credentialed access threats.  

Credentialed access threat detected and data loss halted

Let’s go back to our CISO and the analyst’s early morning access request. With ALTR and Snowflake Security Data Lake in place, the CISO will receive a real-time alert triggering a blocked access for the specific analyst (with no other analyst or data users affected). The CISO asks his team to take a look at the security data lake to investigate. They find that over the past 120 days:  

99.7% of all queries run by any role on the analyst team returned 100,000 rows or less

68.4% of queries returned 10,000 rows or less

32.6% returned 1,000 or less

12.7% returned 100 or less

For Analyst II role (this user), the largest query to date returned 1.2 million records

Since his hire, this analyst has averaged 18,788 PII records a day

Daily and hourly details of PII consumption for every user and role:

  • Analyst I – average usage is 430 records per hour
  • Analyst II – average usage is 2,349 records per hour
  • 96.5 % of consumption occurs on M-F between 8am and 6pm CT

With this historical visibility available, it’s obvious this request is completely abnormal. The CISO calls the Director of the analysis team to inform her that the analyst is blocked and that a security event is being investigated. The Director lets the CISO know that this particular analyst is on PTO today. The CISO can then take the step of de-authorizing the analyst’s access to all systems enterprise-wide due to the threat that his credentials have been compromised. A security incident is created, and an investigation is launched.  

Choose your own adventure

Credentialed access threats continue to be one of the top drivers of sensitive data breaches according to both the Verizon Data Breach Investigation Report and the IBM Cost of a Data Breach Report. They’re possible to stop, but it’s not as simple as turning on a firewall. It requires preparation and diligence to get ahead of the risk, to first understand what normal data consumption looks like so you can quickly spot abnormal access.

It’s up to you: would you rather be prepared or caught flat footed? Your choice will determine what happens when a credentialed access threat crosses your path.  

Congratulations on kicking off your Snowflake journey! Or at least thinking about starting your journey with Snowflake. This puts you among the thousands of companies working with Snowflake to extract the maximum value from their data. And, based on what we’ve seen so far, I feel pretty confident that your Snowflake project will be successful. Before you know it, you’ll be inundated with requests – your colleagues will want more and more and more – and they’ll all want the answer yesterday. You’ll go from two users to 10 to 1,000 with no time to catch a breath.  

To ensure you’re keeping up with the speed of your business and not lagging behind from day one, it’s critical to have the right tools for your journey from the very start. That means including a data governance and security solution. This may not be on your list of priorities today – maybe you’re focused on other tasks, don’t think you need it, or believe it’s too time-consuming, complicated or costly.

But you won’t be able to get the most value from your Snowflake project as quickly if you don’t have an effective data governance and security solution from the beginning. I’ll explain why.    

You will need to include sensitive data and you will need to protect it

One of the primary reasons you’re making the move to Snowflake is to extract the maximum insights from your data to make better business decisions. You might start with anonymized datasets, but you’ll quickly need to include sensitive data to get the most insights, so why wait? The sooner you can run analytics on data that really matters, the faster you can deliver that value to the business. If you plan to do that from the beginning, that means preparing to comply with regulations around data privacy and protection. With new laws popping up across the US monthly, there’s no industry exempt from making sure data is safe from leaks and misuse. And there’s no lag to the risk – the day after you add the data, a trusted user could be phished or data could be misused, violating regulations.  

Snowflake data governance and security features can be hard to manage at scale and don’t include all the protections you need

Snowflake delivers the enterprise class security we all expect from leading cloud providers as well as some crucial features for protecting sensitive data, with more added in each new release. However, executing and managing those features must be done manually via SQL code – limiting the number of people who can implement and update policies, restricting your ability to scale easily as your project ramps up with new users and more data.  

And, even Snowflake will tell you that it can’t be responsible for who has access, what data you include, or controlling how those two intersect: who should have access to what data. This means there’s no mechanism to stop credentialed access threats or privileged access to sensitive data – if someone has the right log in information, they can take as much data as they like. It’s on you to have a solution in place to stop this.  

“Snowflake has a phenomenal security team, world class security posture, but there’s still responsibility on the customer to keep the account secure. And if a user is compromised…there have to be controls in place on the customer’s side to detect that’s happened and to be able to remediate that quickly before the sensitive data gets out,” Omer Singer, Head of Cyber Security Strategy at Snowflake.  

Data governance and security don’t have to be complicated or costly or slow you down

Consider ALTR a light addition to your pack that helps you move more quickly down the road:  

  • Our SaaS solution integrates natively with Snowflake,
  • It creates only minimal latency and no scalability issues in your data access,
  • It’s easily implemented and managed via a no-code user interface requiring no database engineers or additional FTEs,  
  • Delivers advanced data governance and security features that Snowflake doesn’t, including consumption observability and limits; predictive consumption thresholds; alerts via text, messaging, email, phone, SIEM or SOC integrations; and tokenization of sensitive data,  
  • And with our free-for-life plan available on ALTR.com or through Snowflake Partner Connect, you can get started at zero cost today. Download our Quick Start guide to see how easy it is to get going.  

Accelerate your Snowflake journey with a boost from ALTR

The best thing you can do for your business is accelerate your adoption of your cloud data platform so you can drive business value faster. Imagine six months down the road, you’re two years ahead of where you hoped to be. Planning your trip right from the start can enable you to do that. You eliminate the need to come to a screeching halt a few months in to think about how to manage data governance and security.

You can keep moving ahead of the speed of your business, leading the way to maximum data value, when you include ALTR from the start.  

A few weeks ago I attended the Gartner Security and Risk Summit in Washington, DC, where ALTR was sponsoring and meeting with analysts, customers, and prospects (ALTR is a Gartner client). As usual it was really interesting to see how the overall market is evolving and where the focus is. Here are a few of the major themes that I observed:

Automation as the way to cope with increasing complexity and a persistent labor shortfall. The opening keynote by Gartner focused pretty heavily here. I believe the key stat is that 70% of companies reported that they can’t even digest 60% of their event traffic (from a SIEM or SOAR perspective), meaning they actually aren’t watching parts of their network at all, despite all of the investment in tools. And that just gets worse when you consider that hiring to fill that gap is getting harder to do, not easier.

My take: I am reluctant here – the idea of automation is much simpler than the execution, and I am skeptical of this technology’s ability to close this gap. Today’s automation has very little real predictive ability, and often produces as much work in training and managing false positives as it does in saving work. I think the answer here is to focus what we are monitoring based on risk, not monitor everything and just turn it over to automation.

Identity is the new perimeter. This theme was dominant throughout and focuses on the fact that in today’s cloud-powered and mobile world, the traditional network perimeter has dissolved and been replaced by authentication and access management. It’s notable that user credentials are now far and away the most popular attack vector for bad actors, from credential-stuffing to phishing credentials out of users via email and other avenues.

My take: I agree. I think you must verify, and then re-verify that the person who is accessing resources is in fact who they say they are. Some encouraging statistics are that something simple like multi-factor authentication will stop 97% of credential-based attacks. Of course, even then that 3% is still a really large number in absolute terms, and pretty troubling.

Identity and data will always be your problem. A lot of the conference was about cloud security, and I saw some great sessions about trends in this space. But the thing that I found really compelling was a particular chart that showed how when you go from IaaS to PaaS to SaaS, you shed responsibilities for various parts of the stack . . . but managing identity and data remain your responsibility.

My take: I think this view was compelling because it separates the IT-driven benefits of cloud computing from the risks that holding data can pose, and makes the point that those risks are still there no matter where your application workloads and databases are hosted.

The rise of Data Security Governance. Gartner publishes a model on data security governance that is meant to focus on a risk-based approach to managing data across both security and privacy concerns. The emphasis is not to start with security products, but to consider data more broadly. This framework was present throughout the conference in various sessions.

My take: I think this is absolutely the right approach. Once you authenticate someone it is important to manage what data they have access to globally. However as with most great strategic concepts it has problems when it meets the real world. The “product first” mentality is driven by the fact that data security and governance products are isolated from each other in different quadrants like DLP or CASB tools and in market guides like DCAP, Tokenization, and Data Masking. I sense an opportunity for Gartner to collapse products into a Data Security Governance market that gives organizations more of a connection between the risks and the tools that address them. I believe that some of these tools, and even some of these categories, don’t actually do that much to decrease the risk to data – and Gartner could help clients differentiate the good investments from the not as good.

Say you’re in a busy train station, looking for a store that sells water, and you spot someone handing out water for free. If you’re anything like me (read: paranoid), your first instinct is “This is either a charity or it’s a scam” and “Will that water make me sick?” Now imagine if the train station is the internet, and you’re looking for a service provider in the already sensitive space of data privacy. Alarm bells are definitely going off!

This might be caused by instinctual responses we have to the idea of a “free” product or solution. Even if (or especially if!) something seems genuinely disruptive like Amazon’s free delivery or Southwest’s no-fee changes, we could be skeptical. The value to us may seem obvious, but we wonder what’s in it for the vendor. What’s the catch?

So, let’s talk about where those reactions come from and see if they hold true for today’s free business software, especially SaaS solutions.  

#1: “A free product must be lower quality”

Simple economics has taught us that the higher priced a product is, the higher quality you should expect from it. This isn’t a hard and fast rule - sometimes we get fooled into paying for a brand or a logo - but it’s why you may not have a problem paying more for premium items, such organic foods or luxury goods. And when you go “cheap”, you generally accept lower quality and the consequences of that. Fast fashion is meant to be replaced yearly, and there’s a reason people celebrate moving on from furniture you put together yourself.  

However, software is not the same as consumer goods – the same pricing structure doesn’t apply. With the technologies we have today, Software-as-a-Service (SaaS) companies can build software that solves problems common to multiple companies, then simply serve up that same solution to customer after customer directly from the cloud. They can deliver those benefits to a significant slice of the market without requiring costly customizations, consultant implementation hours or onsite hardware installations. This allows companies built on SaaS from the ground up, with a business model just as streamlined and flexible, to leverage efficiencies of scale to offer powerful software at a much lower cost than legacy on-premises providers. You can’t do that with clothes or furniture. ALTR VP of Product Doug Wick explained very clearly how being built on the cloud from the beginning helps ALTR to deliver our solutions more quickly and for a lower cost than legacy on-premises solutions.  

I’d go even further: not only is free software not necessarily lower quality, it actually has to deliver even higher quality than a paid solution in order to retain and grow the customer base. Because there’s no financial commitment by the user, it’s easy to start but just as easy to stop using the product. A free tool quickly exposes any weaknesses, issues or flaws. Users will need a seamless experience that delivers value immediately in order to continue, let alone consider upgrading to a paid version.  

#2: “If you’re not paying, you’re the product (especially on the internet)”

This idea has been around a while, but really took off during the Facebook/Cambridge Analytica scandal. Many of us jumped onboard the Facebook train, adding our contacts, sharing our updates, checking in at locations – enjoying the opportunity to use technology to be more closely connected to our far-flung network. But most of us may not have considered what was happening with all that data. It turns out that our data is a commodity. We learned through scandal to be skeptical, and Facebook is far from alone. For example, a popular email cleanup tool turned out to be using the opportunity to collect and sell information on user purchases. In fact, a company co-founder accused users of being “naïve” to think the tool wasn’t “monetizing” their data.  

This is especially threatening for IT and security folks whose primary goal is to protect data! We know this feeling, as our founders come from data security in the financial services industry. They created ALTR to solve the problem of data control and privacy across the data ecosystem and built the company on a culture of data security.  

When users sign up for ALTR’s free plan, what we’re getting is not your data (we don’t need to store it in order to protect it - it’s as secure as ever) but information about your experience. A free plan allows us to greatly expand our user base and gain more insight into how the software can best solve problems and provide a better experience. Our users become active participants in our product development process, helping make the platform work better for them and future users. It’s a win/win.  

#3: “A free product can’t solve enterprise problems”

In the beginning, there was only enterprise software because only enterprises could afford it. It was developed to manage processes across the business, taking on big, complex problems on a massive scale. This came with expensive, years-long development cycles, complicated on-premises implementations by costly consultants, a big contractual commitment and a hefty price tag. The side effect was that even simple business problems could stay unsolved for months or years as the convoluted buying process wound its way along.  

Today, business solutions are taking their lead from consumer software: focusing on individual user needs and experiences instead of tackling enterprise-sized challenges out of the gate. Companies like Slack, Zoom, Canva, and even Google offer low-cost or free versions of their software for messaging, design, or content development. This allows individual users at large enterprises to test-drive solutions to solve a specific thorny issue, making overall processes more efficient.

Instead of needing buy-in from an endless number of executives and months-long contract negotiations followed by months- or years-long implementations, the users who will actually be using the software can simply sign up and try it. Once they understand intuitively how it works and determine if it will solve the problem, they can share with others throughout the organization for their review. If it gets traction, it’s much easier to upgrade to an enterprise-level subscription for additional features or support or to take on larger challenges across the business. This is buying from the ground up instead of the top down.  

ALTR’s free plan, for example, lets governance and data teams identify sensitive data in Snowflake, see who’s using it, and put basic access controls in place. It allows companies with a smaller need to address it immediately and users at larger orgs get a taste of how the solution would scale across all their data. A clear upgrade path makes it easy to grow as needed.  

Fact: “Free” can deliver more value than you might expect

So, while low cost or free may seem suspicious when it comes to clothes or furniture (or bottles of water!), software is a different beast. Technology advances have disrupted the way software is developed and the usefulness it can deliver to business users for low or even no investment. For those who associate free products with a drop in value or quality, it’s time to reconsider our general impulses around pricing to ensure you're not missing out on the real opportunity.  

We recently sat down with Fred Burton, a member of ALTR’s board of advisors, to hear his perspective on the landscape of threats to enterprise data security and integrity. Burton heads the global security practice of Stratfor. Before Stratfor, he was a counterterrorism agent for the U.S. State Department and leader of many high profile international investigations. He is an author whose four books include the best-selling “GHOST: Confessions of a Counterrorism Agent.”

ALTR: Your career in security has spanned the era of punch cards and rotary phones, the days of the first microcomputers, and now you have moved on to security in the age of cloud computing, AI and big data.  How has protection of data moved from the periphery to the center of your field of vision?

BURTON: Well, the first line of concern has always been the insider threat. And that threat has been transformed by an order of magnitude through the transformation of information storage from paper and filing cabinets to servers and the cloud. In the government space in particular, we had plenty of insider threats in the 1950s, 1960s and 1970s, but there were limits to  how many 201 files as we called them (source and personnel files) that you could walk out with in a briefcase or what you could photograph with a tiny Minox camera. Now even the ease of theft enabled by a memory stick is growing old as thievery is conducted from across the globe with stolen goods finding a ready market on the dark web. In today’s digital economy, the bad guys don’t even need to get out of their pajamas anymore.

ALTR: When you think about what we call insider threats, how do you see the interplay of internal threats conducted by truly bad actors vs. those that result from carelessness or ignorance, the classic problem of the 123321 password, for example?

BURTON: Actually, I think of it not in terms of the interplay of two categories of insider threat but three categories. For starters, you’ve got the need for digital solutions, be those at the heart of the data ecosystem as with ALTR or older solutions focused on the network or network endpoints.

The second category is what I call situational awareness. This is the training, the enforcement of internal security policies, the general commitment to security hygiene if you will. There’s a role of growing importance for HR to play in every enterprise. The last category that could use some more attention is the threat of intellectual property that can leak out of the C-suite if not protected by NDAs, policies for talent retention and ethics standards. Everybody’s chasing top talent these days and your most talented are usually reservoirs of knowledge about data if not data itself. This is where legal departments really need to step up their game.

ALTR: How are enterprises doing today? What’s working, what’s not?

BURTON: Well, cyber and data security is on the minds of just about every executive I talk to, from medium-sized domestic firms to global multinationals. And everyone is looking for a quick magic potion, a simplistic, brass ring of a solution that can be put on autopilot and spit out the next Edward Snowden before he’s done anything. What I think is more realistic and useful are security concepts that reduce and mitigate risks and those that quickly stem the bleeding when injury occurs. We need to think in terms of cocktail solutions and less about silver bullets.

ALTR: What do enterprises need to change to prevent future breaches?

BURTON: This follows really on my points about managing three categories of threats and the elusive hunt for magic potions. Enterprises need to be thinking broadly, not narrowly. But when it comes to action, it’s a similar kind of comprehensiveness in the solution architecture that is one of the things that appealed to me about ALTR’s technology from the first day I saw it. It’s not just about fire alarms to alert you to the conflagration – though you need those too. It’s about the smoke alarms that alert you before the fire actually erupts in flames and before the damage can spread. As a former investigator, you can well imagine that ALTR’s quick sand as I call it, the picture of digital truth that immutability records virtually all behavior in the interaction of personnel with data, is a very powerful and valuable tool. It’s this immutability enabled by blockchain that I believe is really critical to secure the future of the data economy.

ALTR: When it comes to data security, what keeps you up at night?

BURTON: I worry a great deal about systemic threats, the risks to the ecosystem of distinct businesses. It relates to our discussion of the transformation in a very short time from a world of filing cabinets to a world of cloud-based information measured in terabytes of data. And if enterprises need to spot the smoke before the fire, then business ecosystems need to spot the brush fire before it engulfs the entire forest. It’s not enough, sadly, for any enterprise to have its own house in order. If data integration along the supply chain is not protected, if vendors are breached or sales partners are careless, the result can be domino effects. From banking to hospitals to power grids, the potential of the domino effect is real and growing. And the fastest growing dimension of the overall threat matrix is, of course, the Internet of Things, IoT, that will be woven into the fabric of every enterprise. This is just one element of this that really does keep me up at night. It’s not a figure of speech.

ALTR: What’s your advice to security leaders out there?

BURTON: Think holistically. That’s the key in my view. A holistic approach to security, of course, needs to include the old school elements: hiring practices, an eye on personnel issues that may lead to desperation and carefully written contracts and NDAs. But far beyond that, the technology we use to confront threats to data, particularly insider threats, needs to be comprehensive and holistic. We need technology that protects data from being breached. But just building bigger walls and moats around the castle, which is where a great deal of thinking is stuck today, is not enough. To carry the analogy, we also need to know what’s going on inside the castle. We need deft use of technology that allows real time monitoring of data access, use and consumption. This is critical not only to enforcing policy on data, but also to establish policy. And lastly, as I mentioned, we need tools that yield a mitigation roadmap, a picture of digital truth, if and when a breach is attempted. This is the cocktail approach we need to embrace. Without this new tool set and attitude, risk mitigation and management is akin to a surgeon practicing without the benefit of X-rays.

It’s been a little more than six months since we announced our direct cloud integration with Snowflake, and during that time the cloud data platform environment has only continued to heat up. In June, Snowflake's third annual user conference brought a focus on Global Data Governance as one of the platform’s five key pillars and with that, new capabilities like anonymized views and PII classification. And the company’s just announced Q2 results reflect its continued importance in the market with 103% year-over-year growth.

In the six months since the release of our integration, ALTR has added new joint customers including HumanN, The Zebra and Welltok. And we’ve utilized Snowflake’s native features like masking policies and external functions to deliver unique solutions to our shared customers.

Tarik Dwiek, Head of Technology Alliances at Snowflake, said,

“ALTR is an innovator in using Snowflake’s extensibility features. By utilizing these features, they’re able to deliver powerful data protection and security natively integrated, allowing our customers to get more value from their Snowflake investment.”  

We’ll continue to leverage new native capabilities to tackle crucial data governance and security challenges for our customers as they move to Snowflake.  

The Snowflake Security Road So Far:  

A Security-First Approach to Re-Platforming Data in the Cloud

Q2's Chief Availability Officer Lou Senko, Snowflake's Head of Cyber Security Strategy Omer Singer, and ALTR CTO James Beecham discuss how innovative organizations like Q2 are taking a security-first approach to migrating from on-premises databases to cloud data warehouses, mitigating risk while maximizing their data strategy.

Do You Know What Your Tableau Users Are Doing in Snowflake?


When companies use a shared service account for Tableau access to Snowflake, it becomes impossible to see and control sensitive data access by individual users. ALTR solves this with some sophisticated development in our platform that requires just a simple change in Tableau to activate. See how Snowflake DBAs can configure and manage one Tableau service account, yet get per user visibility and governance as if every end user had their own account.  

Humann Utilizes Data Consumption Intelligence to Better Govern Customer Data

Customer-centric hyper growth company HumanN is focused on creating and delivering superior functional nutrition products for the health and fitness industry. Because customer outreach is a large part of its mission, the company holds a significant amount of customer personally identifiable information (PII) in Snowflake so protecting that data was essential to maintaining compliance and trust. See how ALTR helped with sensitive data discovery, consumption visibility, and purpose-based access control in Snowflake, all less than 40 days.  

Plowing Through Data Governance Challenges and Security Risks on the Road to Snowflake

Our Director of Customer Success and Support, Jennifer Owens, works with companies to understand their challenges and help them build a plan to achieve their goals by utilizing the Snowflake + ALTR native solution. Here she shares use cases around securing consolidated enterprise data, enabling compliant PHI sharing, securing highly sensitive data and more.  

Moving to the Cloud Doesn't Have to Be Daunting for Small and Mid-size Financial Institutions

Small- and mid-size financial institutions might think moving to the cloud is a huge lift or a big risk, but it doesn’t have to be. ALTR Account Director Paul Franz explains how you can move your enterprise data warehouse to the cloud, easily and safely with Snowflake + ALTR’s “secure cloud data warehouse-in-a-box”.    

Snowflake Data Governance Buying Guide

Wherever you are in your Snowflake journey, it’s never too early or too late to think about how to handle sensitive data governance and security. But, it’s not always clear how the options stack up and what you really need. We put together this buying guide to help you understand the differences that really matter and what questions you should be asking as you evaluate your next move.  

It’s been an amazing six months, but like a lot of you, we feel like we’re just getting started on our Snowflake journey. And we can’t wait for the next step!  

See how ALTR can help ensure your sensitive data is governed and secured in Snowflake: get a demo!

Get the latest from ALTR
Subscribe below to stay up to date with our team, upcoming events, new feature releases, and more.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.