Data Security in the Age of AI with Bart Vandekerckhove, Co-founder at Raito

Richie Cotton: yeah, great to have you here. So I'd like to get into security more generally, but perhaps we can start with data access management, since that's your speciality. can you tell me what is data access management?

Bart Vandekerckhove: to talk about or explain data access management. We have to start by saying what it's what it's not. So it's not access management. There's some overlap, but it's not access management. if you look traditionally how we used to manage access, it was really at the parameter of the database or of the application, right?

So you had access or you did not. Once you had access, you saw everything in the database or the application. Now with the whole cloud migration, everybody's moving their data science workloads or their data analytics workloads to the cloud. You're basically moving all your data from disparate, different applications, different data sources, and putting it in one location.

And by doing that, you know, you kind of lose the Chinese walls that you naturally have between these systems. And of course, with all that data in one location, that creates new privacy and security risks. I just took the numbers. So, yesterday or the day before yesterday, there was a new. Data breach report for 2023.

So it's like a report for all the security people each year we wait for it. And if you look at the metrics, you clearly see the results of the security risks of moving all that data to the cloud. It said that more than 60 percent of data breaches. Come from web applications. So your public data clouds, your Snowflake, your Redshift, your AWS, which are accessible over the internet, more than 60 percent of those are the source of the data breach.

And then equally, we see like social engineering being on the rise as, as a source, an attack vector that's being used. And that's, you know, because of the human factor. And if you look at the numbers there, you see that. Stolen credentials are the preferred way to attack, to breach a system or an application.

So with more than 40 percent. And that shows that, you know, with all that data centrally in your AWS S3 or your Snowflake, of course, you need to have the same Chinese walls that you naturally used to have between the different source systems. And of course, that means managing access at the most granular level, right?

So for a warehouse, that means managing access at the table level. In certain cases, even at column or row level. And then if you look at a file system, a blob storage like AWS S3, that means managing access at the file folder and so forth. So that's really granular access management, hence the word data access management.

So. Access management at the perimeter does not work anymore for cloud databases. Now you really have to manage access at the dataset level and hence data access management.

Richie Cotton: Yeah, this is a really interesting shift that you can't just sort of throw up a firewall and sort of say, okay, we're done. It's actually, you've got to get really into the weeds and decide which, what the access is going to be for like every single data set at quite a sort of refined level. You mentioned some of the downsides or some of the problems that can occur when you don't have good access management, like you can have security breaches.

Is there a flip side where there are some benefits you see from doing access management well?

Bart Vandekerckhove: Yeah, well, indeed, the predominant reasons to do data access management and do it well is of course always security and privacy, right? So, people and also your business partners need to trust that you'll use their data in a private and secure way. Now, of course, there are some, some benefits involved also.

If you look, for instance, at data quality, right? So if you're a data engineer and you're working on a project maybe you don't want to have the, the rights to drop a table. Or maybe in certain cases, you don't want data analysts to have right permissions so that by accident, they can, can make mistakes. there's this aspect of providing guardrails, you know, you can work with data with the peace of mind that you won't make changes that are irreparable. That's something we have one customer that is actually using data access management not to overwhelm. the data analysts, right?

So they're basically saying, look, this is the data that you need to do your job, right? The data, for instance, that has been refined in the consumption layer, all the other data, data with bad data quality or data that you don't need. We don't expose you. You can't even see it. You can't even see the metadata that's there just to prevent them from being overwhelmed.

Richie Cotton: That's a really interesting use case. There's certainly from my experience, like working as a data scientist a lot of places like you join the company and they're like, okay, go and analyze the data. I'm like okay, I've got access to the database. It's like, which one of these thousand tables am I supposed to look at?

Is it documented somewhere? And then actually there's only like three or four tables or whatever that you care about. And so having that restriction where you can only see what you need seems incredibly helpful. On that note who needs to be involved in data access management? Are there any particular teams or roles where this is an important part of your job?

Bart Vandekerckhove: I mean, that's evolving, the whole concept of cloud data access management is a new framework that's being developed. What we see today is, unfortunately, it's predominantly data engineers doing the job, And that's because it has grown historically like that. Now, that's not ideal because data engineers, they don't know often the business context of the data, the semantic meaning or policies that should apply.

So that's not an ideal situation. If you see which people are involved with our customers, so one is the data architect. So they typically select the tools that are being used to do the data modeling, define the framework. So the high level frameworks to, to use data access management, then we see, of course, the data engineer being involved.

They have to integrate data access management in their tool sets or in their data products. Sometimes, that means by tagging the data products as a commit or even defining the roles that can access and then if you see like more mature organizations, then you will see that the data owner ideally, so also involved and they will.

approve and review access, they will approve the access requests. And then finally, in a bit more mature organizations, you also see that data governance is involved, maybe together with the information security team, or with the data privacy team. And that is to define policies and you know, monitor compliance with those policies.

So it's, it's quite a handful of people to do that really well.

Richie Cotton: so it seems because there's a lot of different people, like who in general is like the person who's in charge of this, who's like sort of, accountable for the sort of data access management policy or program.

Bart Vandekerckhove: Who is finally accountable? That will typically be the person who is responsible for data governance. If they are there, right? That's typically the, person where how they say the buck stops or the buck passes. It's actually a great question. So eventually it's often it's senior management in case of a data breach.

Or in case of privacy issues, that will be senior management. Person that's responsible to roll out data access management, that can be different people, like a CIO, maybe, or the CTO, the head of engineering, head of data. Again, this is starting to shape these the roles and responsibilities.

Richie Cotton: Okay. So, job chances are going to vary from organization to organization, but it's in general, whoever's in charge of data governance.

Bart Vandekerckhove: That's what we see, and, typically, so the person having the end responsibility, that can change, but the person that's always involved, like our champions, are always a data architect or in smaller organizations, it's a senior data engineer that has like these data architecture responsibilities.

Richie Cotton: And how does data access management sort of fit into a broader data privacy or data security program?

Bart Vandekerckhove: It's really just one of the tools in a, in a broader toolbox to achieve privacy and security, right? So if you look at Well, it basically prevents unauthorized access and that's important from a privacy perspective in certain cases when it's personal data and in any case from security perspective, also business critical information you want to prevent unauthorized access to.

So if you look at purely from a security perspective. You often combine it with tools like multi factor authentication, you know, like the SMSs you have to respond to, or, or last pass best practices are also there that you do data retention where you remove all the data you apply SSO.

Single sign on you do password rotation and so forth. And then for privacy, of course, that is paired with things like consent management doing the regular data privacy impact assessments and so forth. So it's typically just one of the tools. that an organization uses to achieve privacy and security.

Richie Cotton: Okay. So, things like authentication is about how do you, who gets access to the system and how do you prove it's really you. And then this is sort of the next step is like, once you're logged in, what are you actually allowed to do?

Bart Vandekerckhove: and I'm happy you said that, Richie, if you look at what's currently happening is it used to be IAM, right? identity and access management was one thing. But now we have to move to the cloud. We see that there's a lot of startups really specializing in both. So one, some startups are really investing.

or improving the identity space, so is Richie, or is that person that claims to be Richie really Richie, right? And then once claimed what can they see? so that's where we are, so in the authorization space, once you've defined or confirmed that Richie is Richie, what can you actually see? And it's really so much work, because of the whole cloud migration, when things were still on prem.

This was one thing, IAM, and now it's specializing and I think eventually that will consolidate again. But now because of the whole cloud migration, there's a lot of startups active in that space and specializing the offering there.

Richie Cotton: That's absolutely fascinating the way the industry's changed just due to this idea of like, moving your data into the cloud. I'd like to ask a lot of this seems to be focused on avoiding disasters and have you seen any examples of, for example, productivity benefits or other benefits from doing data access management well?

Bart Vandekerckhove: It's really about finding the balance. So finding the balance between data access and data security. this is really hard balance to find. We see some companies that want to move fast and they just give excessive privileges just to move fast and innovate. Of course, there. You expose yourself to the security risk of data breaches.

A couple of examples. There are the Capital One data breach that happened a couple of years back the, to the total cost of which was more than 80 million just because of over permissive IM roles. Equally there was the Optus data breach in Australia. So Optus had about 10 million customers.

They lost 10 percent of their customers after the data breach. So a million of their customers left and took their business somewhere else. So that's the danger of just being over permissive in order to move fast and innovate, Now on the other hand, if you're too restrictive and you've really secured access very well, There's the risk of, you know, too much red tape and long access request workflows.

And today's age data for a lot of companies is really a strategic asset, They use data to be competitive better products, better insights, better services and so forth. In those organizations, if you're too restrictive, that can hamper innovation. which will really negatively impact your competitive position.

So doing that well really means, balancing the two letting your data workers innovate, move fast while also keeping access secure. And that is a very hard balance to find. And that's something where currently you see the big tech doing it well. Like Airbnb Uber, they're doing that well They're building their in house solutions for that.

Richie Cotton: You mentioned it's quite a cultural thing here. So, if you have a very risk averse culture, then you probably want to going to want to lock things down a lot more perhaps if you did. Especially sensitive data, you're going to be a bit more risk averse, whereas if you're perhaps like a startup or a very small business, then you're going to want to be a bit more permissive because perhaps, I don't know, maybe you, you trust your colleagues a bit more, it's easier to, trust colleagues in, in that situation when there's only a few people compared to when you've got lots of people.

Bart Vandekerckhove: Exactly, and that's also what we're seeing. So, I mean, if you look at the past 10 years, what really happened was that data, data analytics really democratized thanks to, you know, scalable compute, scalable storage. So a lot of teams were able. to Do data analytics where they previously were not, right? So you see a lot of mid sized companies started to invest in data as a competitive asset.

There was also a lot of new startups cloud native data driven startups that are using data to compete with the existing incumbents. So through that data democratization, a lot of data teams emerged. And, you know, initially they were kind of small. There was a head of data, maybe a couple of data engineers, and their main responsibility was to prove the viability of data.

is there value in data and data analytics? You read it the magazines, right? But is it also the case for us? So they invest heavily in those, in that infrastructure, these first data products, the first data use cases. And, the data teams that were successful now have more data consumers.

More data products in a platform, more tools, and so forth. But eventually they kind of ignored everything data access management, data security, because they had to move fast, prove the value first, and the number of data workers and data consumers was limited. So it's, if it's just three, you can trust that, indeed, Richie they won't do any privacy and security breaches.

And These companies indeed now they've reached that initial success. They are looking at ways to improve their data security and data access management.

Richie Cotton: Okay, so it's kind of part of maturing as a company that you want to start thinking about improving your data security. And does it affect different parts of businesses differently? Like at the some areas where you might say, okay, we really need to lock down this data or we to be really secure, and other areas of the business where you think it's maybe less important.

Bart Vandekerckhove: I think it really depends on the domains and the data that you're using. And also just the number of people, right? So typically you'll start with everything customer data. So in a marketing domain where you have a lot of data consumers, a lot of data analysts, there typically we see that people start.

Where it's. predominantly like service accounts or automated workflows, the need for data access management is less so. Prioritization, in short, typically starts with where you have the most data analysts, the most data, and also the most change, because that's where data access management is hard to do well.

Richie Cotton: Can you tell me a bit more about why having change in your data makes data access management more difficult?

Bart Vandekerckhove: It's actually the change aspect combined with the volume that makes it so difficult. So going back to how I started right, with the Chinese walls that you need in your cloud data warehouses. I mean, if there's no change, you set your access controls once and you're good, right? So that's typically in operational systems.

So if you look, for instance, at Rito, our customers, they do it for analytical data because there's so much change. They don't need our solution for operational data because you set your access controls there once and It's done, the change is very limited. Whereas in analytical data definitely with the frameworks like self service analytics or data mesh.

There's a lot of change in your data. Data products are being generated, you know, new AIML models, new reports are being generated all the time, you know, preferably, it's a high paced environment. And keeping those Chinese walls up to date very fine grained levels with all that change, that is exactly where challenge is.

Richie Cotton: So you mentioned the idea of a Chinese wall few times. Just for listeners who don't know what that is, can you give a quick explanation? I

Bart Vandekerckhove: So a Chinese wall means that you have a separation in your company. That only certain teams can see the data for their domain, right? So Chinese wall means that somebody in marketing cannot see the data in finance, right? That's a typical issue that you see where you, you know, you frown your eyebrows that you were working with a company.

You send them your data just for billing and all of a sudden you start getting marketing you know, messages. That is where their Chinese wall has been breached. So it's really pain between different teams so they don't see each other's data.

Richie Cotton: don't think we'll get through this without mentioning AI. So, first of all, let's talk about the problem. So, there have been so many advances in AI recently. Has that created any new data security problems?

Bart Vandekerckhove: AI has been, and I love this topic, just for the record, I'm not against AI, right? There's been a lot of doom thinking, it creates a lot of clicks it creates a lot of commotion and, and so I think in general AI will be for, for the good. Now, if not managed well. Clearly, there are privacy and security risks, even risks to democracy, so no denying that.

So I want to start with that caveat. Issues of the known problems the impact of AI on privacy, that's a known problem. We've known that for a while now. You know, there's the example of the teenage girl where some kind of AI model knew it was pregnant before she knew and sent her some materials on pregnancy.

And that's how our father discovered, right? So AI, there are clear issues people not getting bank loans because model decided and computer said no. So the impact on privacy is clear. And it's great that we're working on that. And, that is very important in terms of security. I think the problems there or the challenges at this stage are, I think still predominantly theoretical.

But I think. What's clearly happening is, and it's also in that report by Verizon, the data breach report, is that the human link, right? That's the biggest risk in security are the humans operating the systems. So, there, the social engineering is on the rise, right? And I'm expecting AI to do that at scale, human engineering at scale.

Just a prime example is some of our guys at the company here so they've been getting mails from an impersonator pretending to be me to ask him, Hey, send me the list of accounts and their contacts, Same happens in companies where the CFO or the CEO sends an email, And again, an impersonator.

With a lot of urgency, you know, wire one million to that account this and that, right? you can really pressure humans into, behaving erratically. There was this, there's a video on YouTube, where you see a social engineer lady, she calls the bank of the interviewer.

So, if I were her, Richie, I would call your bank, and there would be this, a noise of a crying baby and she pretended to be the mother Richie's wife, brushing the bank into giving the credentials because she urgently needed to do a transaction. And they just do it. So humans are the attack factor. And increasingly that will happen.

In the movies where you see a hooded hacker, typing code away and getting into every system. That's not how it happens. It happens to humans through email, phone calls, LinkedIn messages. That's how organizations get, get breached. If you look now at the developments in AI, you know, how easy it is to impersonate a person.

Just an image. A couple of seconds of voice material on every CEO, like myself, has to be public, right? So maybe there's some guy in Russia or China will use this podcast to impersonate me because there's plenty of materials here, and with AI, you can just do it at scale. So it's going to be so much easier just to target people and impersonate to be the CEO.

So that's one way AI will be a threat. Another way, and that's you know, bear with the trend of moving towards data ops, where data teams apply best practice from DevOps is that AI will scan your GitHub, right? And they will look for. privileges and, and accounts that you can just use to access your data.

And apparently it's a source of data breaches is where you use like the default IAM roles. They scan your GitHub, they take those roles and boom, they're in and they have all your data. AI definitely can be a threat there, but I think AI will also be the solution.

Richie Cotton: It seems like the biggest thing, like, at least for the moment, is just sort of AI can generate better phishing emails. But also, I mean, you mentioned it's easy to impersonate people, and now I'm thinking, well, yeah, there's a lot of podcast episodes of me. It's probably quite easy to clone my voice. Maybe a challenge for our listeners there. sEe if they can do that. But so you also mentioned the idea that you can like there are a lot of, I guess, things like API keys or account credentials that is available in public locations and that is maybe fairly easy to scan. So it does seem like there are a few new sort of attack factors there.

But then you said that AI might also be useful for mitigating these threats. can you talk me through how that's going to work? how's AI gonna solve the problems?

Bart Vandekerckhove: It's really about scalability, right? So AI in a way, creates a challenge, you know, with AI we have so much data, a lot of that data is oftentimes, you know, created by the machine, so you got a lot of data that you have to cover at very granular levels where access management used to be a predominantly manual process Now, of course, can't keep up.

So you need AI to support you in that, right? It's like a second pair of arms, second pair of eyes. And so in data governance, and that's the space I come from, something that we've been working on for a while is automated data classification, right? So as data enters your lake or your warehouse, you automatically tag it.

Hey, this is sensitive data. Oh, watch out. You got customer data. I'm even finding some payment card information here. And then based on those tags, you automatically apply the right policies. By the way, shameless plug, that's what we're doing with Raito. So, end of shameless plug. So that's one thing making it scalable.

Other ways are like automatically finding misconfigurations. You know, maybe you got buckets that are, have been misconfigured. But you also see it in threat detection and anomaly detection, right? So seeing weird changes in how people are accessing the data, people that are normally not accessing data in the weekend, all of a sudden do it.

That's a clear hint, clear example of something odd happening. And that's where AI also helps. And then just finally to close off AI will also help with recommendations, right? So detecting and it will also help with recommendations in the sense that it will just scan your configurations or your access controls and then make recommendations to improve that.

So it's really about leveraging the data security people working on, on the topic.

Richie Cotton: Okay, so a lot of it's about just automating tasks that might be, might be boring or like, that humans just can't do at scale. But you mentioned anomaly detection. I'm quite glad you did because I always felt like anomaly detection is one of those like, really interesting bits of data science that tends to be a little bit overlooked.

Can you just talk a bit more about like what are the cool things you can do with anomaly detection and security?

Bart Vandekerckhove: But not an expert in anomaly detection, so I'll continue what I know. So it basically looks at the way that people use data. And then they have like a baseline. So, this is my colleague Mark, typically uses that much data, these data sets to do their job. That's their baseline. And then anything anomaly, that's raised as a flag.

So all of a sudden, Mark is downloading terabytes over a weekend. Well, it can be an anomaly, You detect it, you raise a red flag. It can be that Mark is disgruntled, he missed a promotion, he's gonna leave the company, but before that he just gets the whole customer data set. It's a prime example what happens.

So really just seeing where people diverge from their normal behavior. give a funny example. It's a funny example, but in reality, it also means attempts to log in, right? So any weird behavior that you do with data on your system, because a hacker will typically try multiple ways of accessing the data, multiple ways of accessing the system.

They're navigating, right? There's a lot of navigation before, before they find the crown jewels. And there's typical paths that they follow. And anomaly detection also picks up on these spots that a hacker typically uses to get to the crown jewels.

Richie Cotton: Ah, fantastic. All right. And so, related to this we talked about the sort of technical aspects of how AI is changing things. is AI changing security culture as well?

Bart Vandekerckhove: Like I said earlier, the times where you could just do things manually have changed. So the base is much higher, the scale is much higher, so a lot of automation is needed and then the data security practitioners, you know, there's a slew of tools out there that help use AI to scale data security workflows.

So of course, these tools are becoming more important. They are training those tools. I think one thing that doesn't change or maybe even become, became more important is education, So, AI is going to be used for phishing, to get credentials for social engineering. So I think if anything training your employees will become more important.

Creating that security and privacy awareness with your. Colleagues, creating creating the awareness of data, of the value of the risks associated with data is going to become more and more important. So that awareness and the training that's going to become very, very important

Richie Cotton: I love that you mentioned education skills. It's one of my favorite topics. So, I guess there's a big difference in what the, the data security professionals need to know and what everyone else needs to know. Maybe we'll start with the, with the second group. So, what are the sort of most important things you think that everyone in your organization needs to know about data security?

Like what's the one thing you'd want to teach them?

Bart Vandekerckhove: when you're working in a day by day, you. will have a tendency to say the hundred things that matters, but one thing that matters is people have to realize that data used to be an exhaust. It used to be immaterial, right? You did your process and out of that came data. It was just a side effect.

Now data has become for a lot of companies, the most strategic asset. So it has a lot of value. But with that value always comes risk, privacy or security risks. Something cannot have value with zero risk. So the one thing that is important for people to realize is data is valuable, hence it is risky.

So never make rash decisions when people are pushing you to do something with the data that doesn't feel right. Don't do it, Just hold off, think about it, take a breather, and then just think about best practices. So number one lesson is, as with anything, data, when it has value, it's also risky.

So be careful with it.

Richie Cotton: That seems like great advice. Remembering, yeah, this is a valuable thing, not just some numbers on the screen. anD so, yeah, it's something you need to protect. And related to that for the people who are data security professionals is there something that you think due to all these recent changes, they might have a misconception and there's something used to believe and it's now wrong.

Bart Vandekerckhove: something that we're seeing is, and this is not something general, But what we're seeing is where typically more specifically, where data access management projects typically fail is where they try to do too much at once, So if anything, if you want to improve data access management or data security just go for the least intrusive path and start from your current state.

Just get a good sense of, you what are the business requirements? What is a business strategy? How does data strategy support your business strategy? And then what does it mean in how we're going to use data? And hence how we have to manage access to it. Get a good sense of that, then understand how you're currently managing access.

What are the usage patterns? See where is a discrepancy between the preferred ways of managing access and the actual ways of managing access. And then just gradually moving to a better state. each time iterating, reassessing, reevaluating, adjusting where, where needed, and then just gradually expand the scope of the program.

Where we've seen it fail is the companies that have not. let's be honest. Data access management for most people is not sexy. Like, the data scientists, they don't care, right? Actually, they want their admin privileges. Same for data engineers, it's, it's, it's more of a, of something that prevents them from doing the things they want to do.

So they're not waiting for you just to disrupt data operations to improve data access management and data security. So that's the number one piece of advice is just do it incrementally, gradually, prove the value early and along the way, and just As you've proven the value, expand the scope of the program.

Richie Cotton: I think it's very true. It's maybe something that people just want to set once and then forget about it because, you know, they've got other things to do. But as she is saying, it's something you need to maybe or at least have someone responsible for monitoring continuously and making sure that processes get improved.

aRe there any other common mistakes beyond just not Doing anything about this so, do organizations just make any big mistakes around this?

Bart Vandekerckhove: Yeah, well, the most common mistake is thinking the tool will fix everything, Actually, I hope I'm not doing harm to Righto in this way as a vendor, right? But everything starts with culture. Everything starts with people and process. So just buying a tool and thinking it will act as a silver bullet is not a guarantee.

I love to use the example of Facebook and I know I'm jumping on the bandwagon here, but actually Facebook has great technology in terms of data classification and automated access controls. Yet it's privacy breach, security breach after another, So it shows that culture really matters more than the tools, even best tools.

If the culture is not there. it's not going to work. I

Richie Cotton: In that case, do you have any advice for Maybe what constitutes a good culture to begin with.

Bart Vandekerckhove: think it's a good culture means you know, culture where you respect your customers and your business partners trust. That's where it starts. So. a culture where, of course, you have to move fast, But don't move fast at the expense of your customer's trust or your business partner's trust.

So don't be careless with their data. And just don't do things that are that create privacy issues or might create security risks. So it all boils down to their trust. And this will also eventually might prevent you from moving faster early. I don't know. But eventually in the long run, it will definitely make you a more sound and durable company.

Richie Cotton: And if you have someone in the organization saying, okay, we need to get better at data security we need to improve our culture. What's step one? How do you begin?

Bart Vandekerckhove: Step one is really analyzing your business, the business strategy, how you want to use data to support that strategy, and now what that means for access control. So just getting a good grip of that, getting an understanding of your, how you're using data, how your colleagues are using data.

Business user data, business process, and so forth. And then assessing, okay, how is access managed today? Because ideally, your access controls kind of reflect your business process. It's only when there's a discrepancy between these two, you get, you start having all these issues like role explosions toxic policies, excessive privileges, and so forth.

When you know that, that's when you assess a change that has to happen. So what do we have to change? Which access controls, which new systems do we have to implement? You introduce that change and then you evaluate. And then readjust where needed, and again, you do that iteratively, right? So start small and just iteratively analyze decide on a change, implement that change, and then evaluate, assess the impact of that change, learn, do it again.

And all the time, throughout that process, of course, you train people, you communicate well, and that's how you gradually expand the scope of the program successfully.

Richie Cotton: Okay. So, it really is a lot about getting the process right, getting a lot of training in place up front. And I think a lot of it is about, like, deciding goals as well. So, the, any, like, specific goals that are kind of, good for getting started in terms of improving your data security.

Bart Vandekerckhove: So I think the goals that you set is of course, you can have some goals in improving security, I think that's a bare minimum. we talked reducing the over privileged users or excessive privileges reducing the reliance on the default roles that tend to be overprivileged unused roles and so forth.

So that's, I mean, that's what everybody understands, but I think some other goals or targets you want to achieve are just the productivity gains. And that's when you start getting the business on board, when you can make them more productive through better data access management. There, a classic example people go look for a solution is to reduce the time it takes to get access to the data they need, right?

So, I've heard organizations where it takes weeks to get access to data. Now, with a good data access management solution, good framework, you know, good rules and processes, that can be done in a couple of minutes, So, just reducing the time for access. Also reducing the time you have to spend in answering audit questions.

You're going to get audit questions. There's also new regulation upcoming. So you can expect, you know, you have to spend time in responding to audit, creating reports. So a good framework can help you save time there, and then, you know, God forbid, you know, knock on wood. The time spent responding to incidents, there was a, oh, I forgot the details, but I think there was a long time ago, and this is not a security issue, but this is more um, because of regulation around competition.

Actually, Microsoft, they missed the tablet market back in the day when the Apple came out with the tablet, Microsoft also had a tablet, but there was an audit or they were sued, I forgot the details, around their competitive behavior, And they had to focus their attention on answering questions from the supervisor and the regulator, so they couldn't focus on, you know, the tablet marketing, building a tablet, so they missed the boat there.

And Apple took that market. So, I mean, yes, there is a prompt investment in better security, better data access management. But the time it saves you in responding in case of a data breach, responding to incidents, answering the supervisor and the auditor, it's a lot of time that you save there. companies, they, they lose, they lose markets because they have been distracted because of audits or supervisory questions or data breaches. Look at Optus, they lost 10 percent of their customers.

Richie Cotton: I say, I think answering questions with auditors is nobody's idea of fun, except, I don't know, maybe other auditors. So, uh, saving time there seems like a pretty huge benefit. And you also mentioned that in some companies it can take weeks for some process to play through to get access to data.

And we talk lot on this podcast about doing real time data analytics and you really can't do real time analytics if you've got to wait a few weeks to even get started. All right, so, are there any low hanging fruit that companies can typically make in order to improve their data security?

Bart Vandekerckhove: Data security in general, there you have easy stuff that are pretty straightforward and something that we did actually at Raito. When we got our first customers, it's pretty easy to implement it's stuff like multi factor authentication. Each time you log in, maybe after every 30 days, you have to confirm that you are really who you are, or you claim to be having password policies, like password rotation.

You would be surprised how efficient it is to rotate passwords. Because the internet. How do you call it? The dark web is full of passwords. So relying on your old passwords or combinations of old passwords, which I used to when I was younger. That doesn't work. I'm sounding like a boring old fart, but you know, installing the regular security updates, you know, everybody heard it before.

That helps. And now I know more and more you see that cloud providers, they come with native encryption capabilities, just switching that on. already is, is, is very valuable. So that's data security. In terms of data access management, and there I'm falling back, what I already said several times, so falling back on that is, just getting insights in, you know, your access and your usage.

A lot of people are blind in that aspect. So getting good sense, how is access configured across my data sources? What are my usage patterns? Understanding that, It's a low hanging fruit because it helps you prioritize a change.

Richie Cotton: Suppose you do have you do decide to go ahead, you've got this data security program going on. How do you know when you've been successful? How are you going to measure the successful improvements?

Bart Vandekerckhove: So, some of the metrics that I said earlier so reducing the time to access, reducing the time to answer audit questions but also just like, covering some of the risks that are out there. A metric I saw I think it was by Microsoft that said that only 1% of permissions granted are actually used 1%.

So that means that 99% of the permissions granted are actually not used. So that's a huge security risk, right? If those are credentials, if a, if you, if you users credentials are breached and you got 99% of ES that you can use, of course you just leave the door open, reducing the unused privileges, reducing overprivileged roles, overprivileged users.

These are some important targets to achieve and of course, reducing the time to access and the other questions. I think I already said

Richie Cotton: I've got a horrible feeling that if our IT departments listen to this, I'm getting some permissions revoked very shortly, but that does seem like a good idea in general, only give people the permissions that they need in order to do their job.

Bart Vandekerckhove: so that's least privilege access, right? So purpose based access controls, you only give them access to the data they need to achieve certain purpose. But you'd be surprised how often people forget to revoke access, right? So the hygiene in revoking access and just in time access or just enough access where you only get the access at the time you need it and only enough access, that's where we're moving towards.

But I mean, we're all learning. A lot of companies are still at infancy. So just make sure that you're not the worst because then you're going to get breached.

Richie Cotton: Do you have any advice on giving the pushback from data analysts or data scientists when, you know, they get their permissions revoked and they're not happy? It feels like that may be a common sort of point of organizational tension. How do you deal with that?

Bart Vandekerckhove: Oh, I remember getting admin privileges and the sweet, sweet taste of admin rights, you know. Of course, I didn't tell them that I still had admin rights after a week. I was supposed to, you know, they were supposed to be revoked. I was hush, hush about it. So I know how valuable it is to have admin credentials.

We've seen a lot of companies fail doing that wrong way, Actually, when you have to roll out data access management, you're kind of putting your name and fame and your career on the line in the company. That's why a lot of people are hesitant to be the person doing that, right? Because if you take away privileges and you don't give anything in return, you're bound to fail, right?

Because they're going to work around you. They're going to find ways to work around your security. So it all starts with good process to get the access. I'm really in favor of just, removing unused privileges for data analysts. But then, of course, in return, when they need that access again to do their jobs, then it needs to be super straightforward to get that access.

And again, something we're working, we're help, that's something Rital helps with, but more important, that requires good process. You know, you need to assign owners to prove access, and you need to have a good workflow in place to, request access, configure permissions, and then have an audit log of that all.

Richie Cotton: And before we wrap up, is there anything you're working on right now at the moment that you're particularly excited about?

Bart Vandekerckhove: Yeah. Oh, wow. That's a funnily or surprisingly seamless question. So while I was just saying about, you know, automatically removing unused access, that's something we're working on with the policy recommender. So we have this AI module. Some of our some of our engineers actually use that work at CERN and have PhDs in physics.

So we have the right people to do that. But there in return, of course, we also have the concept of pre approved access at Gartner. They call it birthright access, but I prefer pre approved that's as dramatic and basically means that, you know, if you have to do a certain job that access can be pre approved.

So when you request it. It will be automatically granted, And then another way of automating that we're working on, or automation that we're working on, are tag based policies, where you can set policies on the data attributes and user attributes. Again, Can I write a policy that says if somebody in marketing requests access to customer data for, journal analysis, just automatically prove it, maybe reduce access for a month and then automatically revoke it.

So we just bring in the automation. That's what we're currently working on.

Richie Cotton: Okay. So really just about saving people the hassle of having to mess about this manually, that sounds very useful.

Bart Vandekerckhove: Perfect pitch.

Richie Cotton: Nice. All right. Super. Do you have any final advice for organizations wanting to improve their data security?

Bart Vandekerckhove: Don't start too soon. but also don't wait too long either. So. if you're still proving the value of data analytics and you're a small number of data consumers and you don't have a lot of data, yeah, I mean, who cares, right? Focus on proving the value first. But soon as you see that it's taking direction, you start getting more data consumers on the platform, more and more data, or you start seeing more tools being used.

That's really when you start seeing the scalability issues, the growing pains in access management. And that's really the time to start thinking about it. The longer you wait, of course the harder it will be to retrofit. So, you'll find that sweet spot and that's typically where You see long access request workflows or questions around data access and usage observability.

Now that's about the right time to start thinking about it.

Richie Cotton: All right. So not too fast, not too slow. Just find the sweet spot. The Goldilocks approach. All right. Fantastic. Okay. Thank you very much for your time, Bart. It's been great having you on the show.

Bart Vandekerckhove: All right. Thank you very much for having me.