In S5E20 of the Brilliance Security Magazine (BSM) Podcast, Ron Arden, the Executive Vice President, CTO, and COO of Fasoo, joins host Steven Bowcut to shed light on the often-overlooked realm of unstructured data security.
In Part 3 of this conversation, Ron and Steven look into future trends in data security and how companies can get started on their journey to encrypt, control, and manage their unstructured data.
Well, let’s ask you to dust off your crystal ball a little bit and look into the future. What do you see as far as future trends, or do you see any movement in a certain direction that you can share with us?
I think two things are becoming big. Let me start with the one that everybody’s talking about in the last year, which is AI. So when ChatGPT came around, I think the world went nuts. And there are two issues that I see with that. One is that a lot more people are using AI, whether it’s a public model or a private large language model, to generate content. It could be anything from code to marketing materials to who knows what. So you’re just going to generate a lot more content and you need to protect it.
We have ways to protect it and make sure it doesn’t leak out of your organization. The other thing I think with AI, especially with public models, is people are concerned about their intellectual property or regulated data getting up into the model because I’m going to copy and paste a bunch of stuff as questions or prompts. And even though all the models claim that they don’t keep that data for training purposes, I don’t really believe that. I don’t know. A lot of people do. I know they’re getting better about it, but still, there’s a risk. So if your sensitive data in documents is protected and we can control copy and paste, then I can’t copy and paste that information up into a large language model. I think those are things that are going to continue and we’ll see how this all plays out. AI is changing day to day, so we don’t know.
The other big thing I referred to earlier about data lineage, and I think in the world of privacy, this is going to become bigger and bigger. I’ll give you an example that a friend of mine mentioned. Let’s say he or a company signed a contract five years ago, and there are copies and derivatives and related documents to that contract. And now the contract is no longer valid. Well, how do I know where that contract is? How do I know who has access to the contract? And how do I know that if that contract is no longer valid, should it be pulled out of circulation so that any sensitive data in there potentially couldn’t be compromised? If you think about this and all the things we talked about, where things could be in the cloud, things could be on mobile devices, they could be anywhere.
How do I as a company figure out where that data is? And so to understand the lineage, which is all the derivatives and copies, and every time I did something to that file, where it is, how do I find it, how do I file it, if you will? I think that’s going to become a bigger and bigger issue. And part of that reason is because of what I said before, the cloud. The cloud is like the cheapest thing in the world. Spinning up another terabyte of data storage is nothing. So I think that’s going to get worse and worse and worse as we go forward. And I think it’s just going to start driving more security, hopefully, Fasoo security, to help address some of that.
Interesting. Fascinating. So is there any specific advice that you could give our audience, actionable things that they can do either in light of these future trends or anything that we’ve talked about today?
I think that when we talk to companies, as I mentioned earlier, I consider two types of data. There’s stuff that’s public and there’s stuff that’s not. And so if you think about it like that and think about very simple use cases, think about where is the biggest risk in your company. Depending on who you are, it could be HR, it could be Finance, it could be R&D, it could be M&A, depending on the industry. And what I recommend is to look at simple protections for that type of information. If you’re an organization that needs to comply with, say, GDPR, well, probably most of that is in HR and Finance. So think about simple protections. The simple protection can be when users in those departments create documents, they are automatically encrypted. And they’re encrypted with a pretty open security policy so people can View, Edit, Print, and do everything that they normally need to do. But if that data were to somehow leave the company, either deliberately or accidentally, you don’t have any risk because the documents are unreadable. So I think that’s a simple way to start.
And if you’re a regulated industry, you can tell your regulators, okay, so anything sensitive I can guarantee can’t be seen when it goes outside the organization. So I’ve covered that piece. I’ve impacted very few people in the organization. I’m not preventing them from doing their work. And then as you start thinking about other areas in the business where it might make sense, you can start expanding. Maybe it’s a department by department or division by division. If there are certain things you want to ratchet up, maybe there are more sensitive things that only executives should see, or maybe there are only certain departments that need access to. You can start dialing up the security. So we always recommend starting very slowly, getting the basics done, and then progressing as you need.
See how it meets your needs. Excellent. Great advice. Thank you so much. But we are out of time. Ron. But I do want to end with kind of an open-ended question that I always like to end with. And the essence of the question is, what should I have asked that I failed to ask you? But the question is, what else does our audience need to know, either about Fasoo or about protecting and managing unstructured data?
I think that one of the other big areas we address with some of our products is redundant, obsolete, and trivial data. So ROT. And that goes back to the conversation we had before about everything is everywhere. If you think about your data, and I’m doing a lot of this bifurcation of data, current data is probably information that people have worked with in the last year, and old data is beyond that. Different companies will have different timetables, but that’s a pretty common thing. Think about how can I determine what is old data, what is redundant data, and what is trivial, which means I don’t care about it.
If you think about trying to find that and manage it, we have products that will help you reduce the problem. Because if you’re only really worried about the current data, that might only be 20% of your data. The other 80%, maybe anything that’s older than a year, I’m going to automatically encrypt and put a basic policy on it. I’m not going to worry about coming up with fancy rules to determine anything about it. I’m just going to say, yeah, I know that stuff’s protected. So now my threat surface is a lot lower and I don’t really need to worry about so much of what I was terrified about when I first started the process. So I think those are things that people need to think about.
The other area that I talk about is there’s a lot of security technology out there. Firewalls, intrusion detection, DLP systems, and a lot of things that focus on the movement of the data. I’m never going to tell somebody that you should get rid of your security technologies because all of them are there for a reason. But if you’re protecting the file itself, then sometimes some of those other technologies are not needed because I don’t need to worry about where. As you mentioned earlier, it doesn’t matter where the document goes, it’s always protected. So maybe I don’t need as many of those layers. It can sometimes simplify your security stack and your IT stack, because one of the problems with a lot of the technologies today is there are so many alerts, and trying to manage all the alerts, just becomes noise. So sometimes you stop listening. It’s like if you live in a city and you hear the garbage trucks every morning, you don’t even hear it anymore.
So that’s a way to help simplify some of the IT and security operations in an organization.
Excellent. Thank you so much. Ron, thank you for being with us today. I appreciate your time. This has been a fascinating conversation. I’m sure our audience is going to love it.
Thank you, Steven. I appreciate the time.
All right, and a big thanks to our listeners for being with us. Please remember to like and subscribe if you find this podcast interesting, and join us next time for another episode of the Brilliance Security magazine podcast.
The transcript of this conversation has been shortened and edited for clarity and the blog format.