Data Defense Doesn’t Win Championships

DataOps changes the dynamic in such a way that we no longer evaluate tools with the intent of securing a single dataset, but rather enabling secure access for all.

I sometimes like to tell a story about a computer science professor at my alma mater discussing the trade-offs of various data structures.

It goes like this: A clever student tried to stump the professor. He asked: “What if I wanted a data structure that I wrote to but never read from?”

The professor paused for a moment, and then responded: “In that case, I’d simply take the data and throw it away.”

Put another way: If you’re never going to access the data, why store it in the first place? This friction is not hypothetical: Forrester Research estimates that somewhere between 60 percent and 73 percent of enterprise data is never used for the purpose of analytics.

While there are many contributing factors, security is a big one. Sometimes referred to as “data defense” (reducing risk) versus “data offense” (driving revenue), businesses are forced to determine how much they are willing to limit access in the name of security. The sports adage that “defense wins championships” doesn’t function at the extreme: Just as a sports team with perfect defense can’t win if it doesn’t put points on the scoreboard, a company that practices perfect security can derive no value from its data.

The inclination to simply clamp down on access is natural, and one espoused by those like Kevin Andrews, CTO of the Atlanta-based employee benefits service company Hodges-Mace:

You are better off securing the entire data set. Segmented secure/non-secure data is risky due to the potential lack of communication within the organization … This leaves a high degree of vulnerability and the potential of someone distributing insecure data.

“Secure Everything” is an elegant mantra, but practicing it comes at a cost. Data is the fuel of today’s digital economy and crucial to accelerating the velocity of innovation in the business. Whether it’s a new personalized mobile app built on machine learning, or new insights that can be gleaned from customer behavior, data lies at the core of most digital efforts. Companies that evaluate data security only from a defensive perspective often fail to see the risk that a lack of offense creates for the business.

Companies naturally focus first on securing production data for use by multiple different applications and projects. This is a well-trodden, if not easy, path that includes techniques like encryption, transport security, and roles and access controls. But satisfying data needs means delivering data to a wide variety consumers outside of production applications. Solving this typically means obscuring sensitive data to create a radically lower risk profile in these downstream environments.

The traditional technique for this — data masking — has been around for nearly as long as there has been data, and is well-understood. Data masking takes sensitive data and creates a masked form from which the original data cannot be derived. While masking capabilities have evolved to include things like dynamic masking as data is read from the source, its core focus remains: obscuring data within one source.

The real challenge comes not from securing a single dataset, but in the ability to continuously deliver secure data to downstream consumers. Look no further than the recent breach at the U.S. Securities and Exchange Commission for an example. An unknown attacker breached a system operated by a third-party contractor normally used to test SEC systems. Data used for testing purposes was actually authentic data from unreleased corporate filings, not the dummy data that should have been used. (The FBI is investigating suspicious trades that followed.)

The SEC case serves as a reminder that the need to accelerate innovation for data consumers is just as real for a third-party contractors as it is for your own employees. Yet it’s unrealistic and impractical to establish the same levels of confidence, risk assessment, and security procedures with every third party. The solution is to deliver only the secure data into that environment, so that if breaches happen, sensitive data isn’t at risk.

DataOps changes the dynamic in such a way that we no longer evaluate tools with the intent of securing a single dataset, but rather enabling secure access for all. Combining data security and delivery into a single workflow, creates an environment ripe for innovative solutions to problems that weren’t apparent before. And it allows companies to practice both offense and defense without putting the company at risk.

This is the true power of DataOps: Bringing people together and empowering them to invent new data solutions to drive the business. Imagine one day waking up to the news that your third party development shop had a massive data breach, only to shrug it off, secure in the knowledge that your company’s sensitive data had never been at risk in the first place. Success means we can have our cake and eat it too, with offense and defense working together for the success of the business.