Data Protection & Security: Bringing It All Together

December 21, 2021
Dave Cole sits down with Nancy Wang, General Manager of AWS Data Protection and Governance, to discuss the growing convergence between security and data protection and what to look for in 2022.


Dave Cole: Hey, thanks for joining us, Nancy.

Nancy Wang: Hey, thanks, Dave. It's always a pleasure to be chatting with you about everything that is data protection and security related.

Dave Cole: Likewise. And the two things together, it's starting to feel natural and normal. But if you play it back, let's go back like 10, 12 years or in fact, go to any of a number of industries who haven't been through any level of digital transformation. And backup, data protection was something done by the IT people, the security people, even though it's all about confidentiality, integrity and availability. The availability side was kind of mostly somebody else's problem a lot of the time, at least the data protection and backup side of it. But what's happened is a funny thing, when I was at CrowdStrike, I was going through GDPR for the first time and kind of grocking the implications. I was like, oh God, I have to care about retention and backup. And these things matter a lot more to me now.

And then you fast forward into the cloud where it's no longer the IT people who care about backup. Many times, it's a different crew and building cloud platforms, at CrowdStrike, Tenable, now at Open Raven, kind of cemented that in my head that this is my responsibility as a product owner. And as someone who owns product security, that's a part of what they are. And then with ransomware now, you've got all of these things where you look at it and it's not even like a strange roommate situation. It's now just a roommate situation, like where we're in this together. And I've seen this across different websites from, your former employer and working with you all at AWS. Security and data protection, and all of this stuff are just hopelessly and beneficially kind of commingled. Now, give me your color on it. You're fresh off your talk at re:Invent. How would you reason about it, would you say it differently?

Nancy Wang: No, I think you painted it in just the right light, Dave. Because if we think about data security and big part of data security is also resiliency, right? Making sure that data is there. So your business is up, right? Their uptime is 24/7. And so, I mean, at least our kind of mantra at AWS is that it's a shared responsibility between the customer and also the platform. Whereas, we bring world class, data durability and resiliency, and it's upon the customer to make sure that those principles or say those security tenants are carried out throughout the application. And so it's important to understand how different concepts, let's say disaster recovery, data availability also come into the picture.

Dave Cole: Yeah. It strikes me that cyber insurance has played a role here too. Fundamentally with the increase in cyber insurance premiums with ransomware, cost of cyber insurance going up, it's important to know that you can recover your data and recover it, not just recover it, but recover it in a time that wouldn't incentivize you to go off and just pay it anyways, because of the operational pain and the downtime.

So all of a sudden you've got preventative measures for ransomware, you've got reactive measures and you've got the ability to recover all of these things intertwined when you go out and you have to deal with cyber security insurance, which oftentimes now is drilling right into how resilient you are, how much you prepared and so on. It's fascinating. And I know you guys have worked on this somewhat and as have we. There's yet another angle of this, which is protecting the backups themselves, which are now targets and things like backing up to a different region and using the right accounts and locking down your backups and so forth that are also a factor now, too.

So it's become much, much more complex and it's changed the role for a company like us, where we have to, as part of finding the data and pointing out and assessing whether or not it's in good shape, whether the risk is appropriate. We worked with you all to bring in backup context, but what are you guys doing on this front? I know you just announced a few really important things at re:Invent and you've been working on this for some time. How do you reason about the security controls around backups, data as a target, and so on?

Nancy Wang: Absolutely, Dave. I think a lot of folks focus on, data protection and also mitigation when it comes to ransomware. But if you actually look at kind of the whole landscape, right? And how, let's say a really great framework that I used to think about it is NIST cybersecurity framework. Is the last piece that is actually really, really important is recovery, right? Because it's great to have, these protection mechanisms, great to be taking backups, but the value of backups really comes from the ability to recover from them and get your business up and running.

So for example, when I talk to customers, right? It's a matter of actually layering on additional controls, additional monitoring on top of simply just initiating backups. Things like, for example, making sure that you can set up a secure perimeter around your sensitive data. Whether that's using, IAM permissions or for example, using multi-factor authentication tokens to secure that perimeter or whether it's using monitoring solutions such as AWS Config as well to monitor how your resource configurations are changing over time and comparing that towards, let's say anomalous patterns or known patterns of different attacks.

And then lastly, tying that all together to orchestrate let's say different game days using what you've protected or how you're going to recover in an orchestrated manner. And now it's not just at the individual resource level, right? Where I'm thinking about taking, for example, even my service is when you're protecting customers, let's say tier zero, tier one mission critical data, when you're recovering them, how do you get them as close as possible to where they were when the attack happened? So whether that's doing orchestrated recovery at the application level, orchestrating recovery between different resources that depend on each other for an application, that's where I think I'm going, right? And that's where the vision of holistic data protection on AWS exists today.

Dave Cole: Yeah, it's fascinating. I mean, it's come such a long way and it's interesting. How does the customer change? I mean, you've been in data protection for some time and know the space well, how has the customer itself changed? Like who is the typical person who you're talking to when you're taking customer meetings versus what it was five, 10 years ago?

Nancy Wang: Yeah, for sure Dave. So you're right. Been here for a while doing, similar things, but it's just really fortunate to be part of like the evolving conversation. So actually pulling on a thread that you mentioned earlier in our talk Dave, which is it used to be the problem with the IT individual. That was by and large true, right? For many decades where you would stick someone in a back room, right? Who was also your DBA, who then also in charge of running scripts, doing bin log backups and so on and so forth. Today though, and especially using my very recent re:Invent experience, the individuals that I sat across the table from were no longer just the IT individuals. Now with that said, I did definitely talk to IT individuals, but now you have more folks coming in from, for example, the CISO background, the CIO background, and actually very importantly from one of my conversations with a multinational European financial services firm, it was actually from the legal, legal and compliance perspective was also in those meetings.

And this is where I see the interesting evolution of kind of a convergence of three different pillars. So one being the data protection, which again, traditionally IT function, but also from the legal compliance. Because now they're very much attuned to, since sensitive information is pretty much all digitalized, right? Stored in various cloud providers, CSPs, or perhaps privately managed clouds, right? Being legally compliant or compliant with regulations across different countries is super important. And then of course that last component, which is how did this all tie together? It's not important to just have your data protected and also compliant, but then also how do you bring that together in office of the CISO, right? So whether that's in the form of different reports or different board reportings, also truly important. And it's become a actually necessary skill and fundamental skill for how CIOs and CISOs are hired today.

Dave Cole: Yep. Yeah. It used to be this timeworn maxim, this rule that as a product person, you never want to cross buying centers, know your customer relentlessly. If you're selling to this person in security, if there's compliance people involved, probably better if you don't, maybe you've done something wrong or God forbid if like the cloud engineering team has to be involved or is involved somewhat too.

And I think it's just a statement of where we are as an industry right now, it just depending on the organization and how mature they are and how they blend together, privacy and security, what type of data they have. It's just messy. It's just messy. And that's part of the fun, but it's also part of the complexity of where we're at right now is there's a lot of stakeholders when it comes to data from the compliance team, the privacy folks, security, sometimes there's privacy engineering, which might be in security, might be by itself, cloud engineering teams, minding the infrastructure also at times. Did you ever run into the data teams themselves?

Nancy Wang: Yeah. One big part actually that is emerging. And we see this among startups as well, is the data quality, data observability space, right? Monte Carlo being one of the probably more visible startups in that space. And how I see that converging is actually through how analysts are thinking about data protection as well. And I had some of those conversations over re:Invent, but also even back to August of this year, when my team launched AWS Backup Audit Manager, right? Where for example, you can ask questions such as how much of my environment is protected and is it being protected the way that it should be protected, right?

Dave Cole: Yep.

Nancy Wang: And these are all configuration checks and rules that you can initiate on a regular basis to monitor the health of your data estate, right? And that's really where the data quality teams themselves are also coming in, which is, is my data going to be available, right?

Going back to the data resiliency, data availability discussion, is my data going to be available for me to draw insights when I need it, right? When attacks occur, can I quickly failover to, let's say another data warehouse so I can continue drawing those business insights to make key decisions. And you see that converging as well in how, as I mentioned, analysts, think about this space. Because now that we've grown to include both compliance, as well as the IT and data protection individuals. Right now, we're being covered by several analysts who focus in different areas, but actually see this product portfolio converging.

Dave Cole: Yeah. Yeah. I mean, it's very analogous to kind of our situation where, we go out, we find the sensitive data, we classify it, that you know that it's sensitive and where it is. And we provide rules around the protection of the data as itself. The infrastructure controls the rest of it around it. Whereas you all come in on the resiliency and the recovery side and so forth. The marriage of those two capabilities, it's kind of emblematic of we're catching up, right? The data teams have run really far ahead and proved out just the massive amount of value in data, driving the data economy and kind of breathless pace. And like the rest us are now, it feels like as an industry, we're catching up.

What we're saying is, hey know where the really important stuff is. All this stuff isn't the same level of importance and we're not going to auto delete this for you. We're not going to redact it for you. We're not going to do crazy things. But how about some rules? How about some guardrails, both on the protection, the security controls around the data, the back of the ability to recover. It feels like it's starting to happen and we're starting to kind of catch up to the crazy pace of the data teams themselves. Does that seem fair?

Nancy Wang:
Yeah. And in fact, one of the awesome collaborations that we did together this year, Dave, right? Was, how can you bring more visibility into your data, right? Going into that data thread, which is you can't protect what you can't see, right? So once you see where your data is, right? Get a bird's-eye view of what's present in your data estate. Then you think about how to protect it and also importantly, right? How to recover from your protection.

Dave Cole:
Yep. Yeah, fundamentally. And we say fancy words like governance and so forth, but at the very heart of it, it's like, can I just know where it is and see what's there? Everything kind of comes off of that and we're making strides in that direction. I'll tell you, having built a lot of security products and focused on core visibility before. Whether it was visibility of vulnerabilities or visibility of APTs, fancy name for human attackers and so forth. The data visibility problem is remarkably hard, remarkably hard, just the volume, the velocity, the variety of data, the fact that every customer is different. It's a fascinating problem. And one worthy of a whole bunch of folks and entire industry's attention, so, yep.

Nancy Wang: Yeah, I mean, I'm excited to see how this space continues evolving. One of the new conferences that's emerged from the AWS perspective is re:Inforce, which will, I believe so far, let's see how Omicron plays with this, but in June of next year in Houston where it's an added focus, right? And it's going to be presented by our Chief Information Security Officer, Steven Schmidt. And talking about how AWS enables customers to have the most secure environments, right? What are the primitives, what are the controls and managed services that we offer around this area. So I'm excited to showcase what my team will be delivering then.

Dave Cole:
Alright. So re:Inforce is back next year. It'll be a thing again.

Nancy Wang: Yes. And looking forward to having you guys there as well.

Dave Cole: Awesome. We'd love to. All right, thanks, Nancy. Appreciate the time.

Nancy Wang: Thanks, Dave. Always a pleasure.

Ready to get started?
Schedule a demo.