DataOps is facing a security reckoning.
The challenge is not at where the data resides today — often in cloud data centers and warehouses. You can say that the migration of data into the clouds sped up development, ushering in a new era of DevOps.
Easy data access via the cloud drove CI/CD (continuous integration and continuous development). Technology innovation followed. But cracks began to appear in terms of security.
The most worrying one was supply chain attacks, like those that hobbled SolarWinds. Although supply chain attacks were not uncommon, what was nefarious about the SolarWinds attack was that the hackers accessed the build system in the company’s Orion software and piggybacked the software update mechanism.
The attack woke up the DevOps community on zero-day exploits and how the CI/CD could be co-opted to their nefarious gain. It also jumpstarted the DataSecOps (or SecDataOps) movement, weaving security processes into the CI/CD pipelines.
Now DataOps is facing a similar challenge. While the artifacts may be different, the overall problem remains. Controlling access while data is being used and consumed needs to be continuous and more proactive. It cannot be a static policy added at the beginning or end of the workflow.
Eldad Chai, chief executive officer and co-founder of Satori Cyber Ltd (Satori), sees another challenge.
With companies driving data democratization and allowing more self-service data analysis, more users have access to critical data. “And data takes meaning when it is used. So, we want to apply our policies and create visibility not when it is resting but when it is used,” says Chai.
Satori sees such an approach as part of its DataSecOps vision. It wants to embed security to manage the ever-shifting number of data users and keep data private, safe and well-governed.
Data security truths
Chai observes that data adds a different dimension to the security problem.
“Unlike DevSecOps, we are dealing with data and not apps or codes. And data carries context, unlike code,” he explains.
Chai argues that security cannot be an afterthought in DataOps. It needs a cross-function team that sees collaboration between security engineers, data engineers, and other stakeholders throughout the project — “not just at the end of the project.”
Satori claims that it simplifies DataSecOps further with a data architecture that is identity-aware. It masks secrets in a cloud-native, low latency pass-through gateway. With universal data access control, you can now monitor and control access to PII and sensitive data, deploy new policies and manage security policies as code via their APIs.
This is vital as regulators are tightening their oversight on sensitive data. With hefty fines and reputation on the line, companies need to take over control of how their cloud data stores are secured, how they comply with the different Acts and regulations, and do extensive data audits, explains Chai.
Will we be deaf to DataSecOps?
Satori is not done yet. The company recently released its Data Security Policy Engine.
It offers large enterprises and bigger teams a holistic design model with reusable policy objects to help define security policies to scale DataSecOps.
According to the company, data engineers can now define and manage row-level security, column-level security, and masking policies on top of existing data stores across all data locations at once. In addition, policies can be automated and managed in a declarative way, so when a new dataset is provisioned, security policies and access controls are there from the get-go.
Earlier, the company unveiled the Satori Self-Service Data Access capability. It allows data engineers to implement self-service data access workflows. These define which users can access which datasets and brings back data access control into the hands of data stewards.
Satori’s efforts are gaining industry recognition. It recently raised USD20 million in a Series A funding round and was a finalist at the coveted 2021 RSAC Innovation Contest.
For sure, they are not the only ones. There are plenty of startups chanting a similar mantra.
But the question remains on whether DataOps teams will listen to Satori’s message on DataSecOps. Or will it take a debilitating attack to make them?
With hackers following the DataOps market closely, we’ll know soon.
Winston Thomas is the editor-in-chief of CDOTrends, DigitalWorkforceTrends, and DataOpsTrends. He is always curious about all things digital, including new digital business models, the widening impact of AI/ML, unproven singularity theories, proven data science success stories, lurking cybersecurity dangers, and reimagining the digital experience. You can reach him at [email protected].
Image credit: iStockphoto/Three Spots