When Mohit Tiwari, CEO and Co-Founder of Symmetry Systems, agreed to sit down with Safety Detectives’ Aviva Zacks, she got ready for an exciting interview. She asked him all about his company’s DataGuard and how it helps security engineers keep everything safe.
Safety Detective: What motivated you to start Symmetry Systems?
Mohit Tiwari: UT Austin loves it when its research makes it into the real world, and my colleagues have co-founded companies on everything from full-duplex radios to robots in hospitals. Therefore, it was natural for our team to also think about practical impact.
Symmetry’s DataGuard helps a small team of security engineers to protect data across large organizations. Our research lab has worked on data-centric security for more than a decade, and over time, kept getting pulled into collaborations with regulated industries where security was blocking innovation.
In all cases—a hospital, a major defense contractor, a cloud-services provider—the problem was that every application or containerized service had to be hardened to get it over the security and compliance hurdles. Small flaws or exploits could mean major data breaches; and that meant, for example, that the hospital couldn’t use great collaborative tools to care for complex-case children because they weren’t HIPAA-compliant.
Our goal, and the goal of our entire research area, is a platform that directly secures data, even if applications and identities are exploited, and as a result, be the focus of compliance and security evaluations. We met our investors at ForgePoint and Prefix last year, who introduced us to 50+ security teams, and we’ve been very fortunate to have had their feedback while building DataGuard as the first step towards a data-security platform.
SD: Tell me about DataGuard.
MT: “Firewalls” protect an organization’s most valuable persistent assets—first networks and then applications—and cover a range of detection and protection measures (rule- and behavior-based). Symmetry DataGuard effectively creates firewalls around all your data objects.
An architect can use it to surface where the biggest data-risks are and what to do about them. For a security engineer, DataGuard can automatically learn data objects, help create proactive-firewalls or detect when anomalous usage occurs, and speed up remediation with a clear view of the involved data objects.
We designed Symmetry DataGuard for data stores in a hybrid-cloud. Amazon S3 is such a different beast that it has a reputation of being hard to secure, but there are production data stores (SQL, NoSQL, caches, queues) and analytics data lakes that contain sensitive data and talk to the internet. And each data store exposes a different set of knobs—encryption, access control—that are hard to set up and keep synchronized. So being able to scale operationally across data stores was a major goal for us.
The other big design goal was to build it for security engineers who guard data stores (vs. making developers label data and re-write authorization logic). This was inspired by the paved path model that Netflix has pioneered for building cloud-services and drives data-related security and compliance. Clearly, this also means DataGuard will not address application-safety questions—i.e., if your check-scanner service breaks, your bank balance will have an error; however, DataGuard will help ensure someone else’s malicious check-PDF will not breach or ransom your data.
SD: What verticals would be interested in your technology?
MT: We are working intensively with industries that work with regulated data—e.g., healthcare information beyond traditional EMR/EHR, financial, and even educational organizations.
On the other hand, technology companies that were cloud-first and are growing fast have been a major source of deployments as well. The time to value for such organizations is hours, and it greatly amplifies the few developers who were doubling up as security engineers in these organizations.
SD: What are the worst cyberthreats today?
MT: It depends on which lens we view these from.
- Governments and cities: infrastructure like transportation and power grids include a lot of legacy computers that need hardening. Elections are coming up and anything that protects voting—from voting machine attacks to disinformation on the web—are a major concern at the moment.
- Organizations are under tremendous business pressure to innovate and be efficient, but everything is buggy and exploitable—OSs, cryptographic libraries, identity systems, all application code, and third-party vendors. Protecting data from breaches or ransomware and business-critical services from going down in the face of all these exploitable components is challenging.
- End-users are organizations too—their data is always handled by third parties and they have very little visibility or control over it. Building systems where developers can quickly build fun services and share with their users how their data is used would be very impactful. The most innovative applications should enter “regulated”—i.e. socially and personally valuable—verticals first, instead of last.
These are broad strokes, and if you look closer, segments such as children, marginalized communities, and domestic abuse victims, all need tailored security measures to keep them safe on the internet.
SD: How will the COVID-19 pandemic change cybersecurity for the future?
MT: Organizations will move towards reducing their trust on the network layer, and instead apply the end-to-end principle in designing their security measures: rooting trust in identity on one end and the valuable asset on the other (data objects, sensitive applications, etc.).
Programmable infrastructure—whether on the cloud or in private clouds or on-premise environments—will be a major winner. A lot of IT or application modernization efforts that may not have had board support will likely speed through and simplify and improve security controls.
The infrastructure that can be queried via APIs—for authentication, authorization, and usage logs—will greatly simplify effort spent on compliance-related data preparation efforts.
Security will end up working exceptionally closely with infrastructure and developer teams—not necessarily by offloading work to developers by “shifting left”—but by exposing risks and remediations as transparent APIs that enable a small team of security engineers to manage a large fleet of infrastructure.