Transcript
Mike Matchett: All right. I'm looking at this. And you've laid out, you know, an interesting proposition here. What I think. Right. You want to know who you want to know where you know what you don't know what's in the data, which is all fine and good, But I don't see how you do that. I don't see how that's going to happen. Right. And and so, yeah, it's great to say we do visibility and we got to do it at scale and we got to do it across distributed users and we got to do it across multi, multi nefarious platforms. But but how how do we start to get into that? Hank Schless: So I think that there you know, think step one is is being able to evaluate what your exposure is so that you can understand how to be able to to mitigate that risk. So these these bullets here, I think are pretty broadly applicable regardless of what industry you're in, what PII you're trying to protect. To Andy's point, what compliance standards or data privacy laws you have to align with, all of these things I think are really good first steps to be able to take, right? Being able to find data, you know, by by industry known mechanisms, right. For these common data types. And again, regardless of fear in health care in the US, and you need to understand for for HIPAA, you know, whether you're elsewhere in the world really being able to identify what that unique data is, what is proprietary, proprietary to your organization. And then reporting. I mean, reporting is a critical part of this that we haven't even really touched on and I think would probably be a whole other session, right. Being able to to to tell people. Hey and people being, you know, whether that's a compliance officer, whether it's your CISO, whether, you know, whoever it may be, people who care about this, you know, being able to say, hey, this is this is what's going on within the infrastructure. This is what our users are doing. This is what devices, you know, are are are touching the data. And then on top of all of that, what happens if it leaves the cloud? You know what? What is that big question mark that I had in the previous slide? So I think these are kind of four ways to to start thinking about things. And, you know, if you have anything you want to add to that. Andy Olpin: Um, no, actually, what I think is this leads into the next section, right, this is just kind of a, a teaser for the real important section, which is what do I do now, right? So you've told me you have all this data. What do you what do you want me to do? So let's talk let's start to get into a little more specifics here, right? Instead of just talking generally, data is important. You got to find it. You probably already know that. So let's take a hypothetical example. Let's say you're a customer using Office 365 and you know, you have a lot of data there, right? So you talk about other clouds. But let's start with Office 365, because, you know, that is probably the warehouse of your most important data, right? So we do something called a risk assessment or, you know, kind of a data survey. So we connect via an API to your Office 365 tenant takes maybe 20 minutes, right? Then we start gathering information, right? So it isn't something where we go in and start pulling all the data off. What we're doing is connecting and then watching your user behavior, right? So we're watching what data they access when, with whom, what data is out there, what's the sensitivity, Who is it shared with? Right. So we're just trying to build a picture of what's going on. Now, the other thing that is a challenge is, okay, even if I give you that, like we said earlier, if you come back with 10,000 files, that's not really actionable still. Right? Because the amount of work there is is heavy. So now we start planning actions with the data we've gathered with that visibility step. And though it's the third bullet point in this section, it's an important piece to consider. I want to not interrupt work, especially not to start with, right? Because when you're starting any kind of program for managing data, if the first actions I take are interrupting work, right, I start removing external collaborators from sensitive data and then your finance department goes, Hey, those are really important people that I shared this data with on purpose because they're collaborators in generating your annual report, right? I'm going to get destroyed, right? So we want to do some quick wins that don't interrupt work. And you might be saying, well, that doesn't make a lot of sense. How am I going to protect my data? So some of this comes back to user education, right? So now what I can do is go in and do something like this. Let's say if I find a document with a social security number on it, eventually I might want to redact that social security number out, or I might want to stop it from being shared. But to start, what if I just put a watermark on that document today? Confidential, right. So that my users are going, Hey, whoa, where did this watermark come from? This is confidential. Oh, I saw an email about that. Right. I haven't stopped them from sharing. I haven't done anything else. I'm just trying to help educate the users. Same thing can do if they create a positive data. Even if I'm not ready to take the step of removing that link, I can email the user. Hey Mr. User, you created a link that's visible to the entire world with a document with social security numbers in it. Are you sure that's what you want to do? Right. So we're educating the users as a first quick win, right? So even before you're having to plan, how do I address all this stuff? We can start telling the users when they're doing something that might be a little risky. Hank Schless: Yeah, I think I think those are I mean, I think you're the great thing about this is that I think those quick wins are really important. You know, it's it's a way to get buy in from everybody who, you know, if you're the one saying we got we got to do this team like this is you know we have you know, this is a this is a priority when you can get those quick wins and see how, um, and really understand what you know, the work ahead but understand it in a way again, that's, that's consumable. Um, and in a way that's not actually interrupting anyone's workday. Think that's sort of the, that's, that's, that's what you want. That's the golden that's the golden step. Yeah. And. Andy Olpin: And sometimes can be hard because the other thing that people have to understand with data security is just like any security practice, it's an iterative, repeating process. This isn't something you go, Oh, I'm gonna go buy me a DLP solution, I'm gonna put it in and we're done. We walk away, right? This is something you have to plan. You do your first iteration, you do your quick wins. You start figuring out where you want to limit data. But even after you've done all that, you've got to go back and look. Are there data types that we're not searching for? Are there other data types that are important to the business? Are there data types that are important to a subsection of my business that I wasn't previously aware of? Right. So this is an ongoing iterative process, but the whole and it also might be, hey, I've tackled Office now what about Salesforce? Oh, I have this little sub department that's using Box for collaborating data, right? How do we bring that in and start pulling it under the same umbrella and doing the same policies? So the point is that we want a tool that helps you do all these things, that makes the work achievable, but you're still going to have to be iterating constantly on what data you're looking for and where it is and what you're doing with it.