Guarding data then, now, always.

When it comes to innovation, they teach you in business school to find problems that people are having and solve them. The founders of Spirion, David Goldman and Todd Feinman, were ahead of their time when they saw back in 2006 that personal information on computers was a problem waiting to happen. Their first product was intended for consumers to put on their home computers (right along with anti-virus) to search for personal information so that it could be removed.

It is also taught in business school that you might not always get it exactly right the first time (or second or third), so fail fast and pivot. Todd and David pivoted to higher education, where personal information is needed for enrollment, financing, alumni connections, keeping grades and storing intellectual property. These billions of records were a perfect proving ground for honing discovery algorithms. In 2014, the Sony hack reinforced Todd and David’s belief that personal information was the most important thing to protect. They felt Sony would eventually be fine, but the personal information lost could be damaging to the employees and customers of Sony forever.

The data security and privacy industry has gone through pivots of their own. Back when I was running a SOC at Motorola, the assumption was that you had a physical data center located at headquarters to protect. So you put it on a LAN, dropped a firewall in front of it, installed anti-virus on the Windows machines (it was thought virus weren’t an issue on Linux and Macs were not considered at all), and tracked your logs in a centralize syslog sever that connected to a SIEM. This was the “castle and moat” approach.

The castle-and-moat approach failed (or is failing) for two key reasons. 1. It is easy to get around the moat. Of course, there are sophisticated attackers that can figure out ways directly through the firewall, say when zero-days came along or they spot bad configurations, but it is way easier to use social engineering on the organization’s employees. The primary way is through email where users can be tricked to download malware right into the local network or be tricked into giving up credentials on a fake website. Once in, the bad guys can move around freely for as long as they are careful and exfiltrate data on their own time. 2. The second reason is there is no moat. From the cloud, to BYOD, and now to remote workers, there is no “perimeter” that can be guarded.

The next phase was, and still is, “zero-trust” where we accept that there is no moat and put access controls around the data assets (laptops, servers, databases, IaaS storage, SaaS applications) themselves. This is certainly a step-up in security, but it too has issues. The first issue is how to put access controls on all those assets, and how strong should those controls be? The second issue is the sheer number of resources to implement zero trust is out of reach for most organizations. Finally, zero-trust can lower the “blast-radius” of an attack, but at the end of the day, if an employee downloads malware to their computer, it can still get access to that computer at the least, and maybe through that computer, get access to other assets.

At Spirion, we believe that zero-trust is still key, but believe that the data must be what drives the strategy for implementing security. Finding the data should be the first step in any security or privacy program and filling out questionnaires isn’t good enough. Only by scanning the data can an organization be sure that they are protecting the right assets with the right security. Our customers confirm this with stories of finding millions of credit card or social security numbers on the laptops of people who shouldn’t have them. Most of the time, people are not malicious, they are simply trying to do their jobs. But malicious or not, this proliferation of sensitive data is a real problem and Spirion is here to solve it.