Inventory and document data collection activities by third parties: Taking stock of where the data is going can help organizations take early steps to restrict unauthorized access to data on websites and monitor third-party integrations on a ‘need to know’ basis. Data inventories and maps provide an understanding of your risk profile and help you fix flaws proactively.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Aanand Krishnan, CEO and Founder of Tala Security. Prior to Tala, Aanand was a senior director of product management at Symantec where he built Symantec’s first big data security analytics platform and led key strategy projects that helped establish the company’s vision and strategic focus.
Aanand spent several years in investment banking and mergers and acquisitions at Morgan Stanley and Dolby Labs and acted as an adviser to leading security software, semiconductor and clean tech companies. He started his career building high-speed optical networking products at Agilent Technologies. Aanand holds an MBA from Berkeley where he was a recipient of the CJ White Fellowship, a Masters in Photonics and Optoelectronics from UC Santa Barbara where he was a QUEST Fellow and A Bachelors in Electrical Engineering with Honors from BITS, Pilani.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Thank you for inviting me. I grew up in the city of Coimbatore in southern India. While it was primarily known as an industrial city with a thriving textile industry and foundries, there was also a strong tradition of IT education, and very good technical and engineering schools. Perhaps because of this, I had a keen interest in science from an early age. I moved to the US for my higher education to further pursue this interest.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
Apart from my own personal interests, my career has been shaped significantly by the incredibly rapid pace of innovation we’ve seen over the last couple of decades. I started out in telecoms and fiber optics, and then took a detour into the world of investment banking. It was during my time as a banker that I was exposed to the fascinating, dynamic nature of IT security; it’s one of the few industries where you have an active adversary. It also became clear that cybersecurity wasn’t going to exclusively affect the IT sector, but would also become an important battleground between nation states. I find this fundamentally interesting.
Can you share the most interesting story that happened to you since you began your career?
I’ve always been entrepreneurially minded, and Tala and the team here has really given me the opportunity to build on this — it’s the best thing that has happened to me in my career. I can honestly say that I have learned far more in the last 4–5 years than in the previous 15.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
The former CTO of Symantec, Amit Mital, gave me my launch pad into IT security. Although I was very new to Symantec and even the industry, Amit trusted me, and asked me to lead an important strategic project. His trust and mentoring helped me enormously. Not only did I get to work with some of the smartest minds both within and outside the company, I met my co-founder Sanjay Sawhney through that project. I’d like to add that Amit was recently chosen to be the Special Assistant to the President and the Senior Director at the National Security Council at the White House — a testament not only to his skill and leadership, but also to how critical cyber security has become to national security.
Are you working on any exciting new projects now? How do you think that will help people?
I strongly believe that we’re entering a new era of digital data privacy. Over the last 2 decades, companies like Google, Facebook, Twitter and so many others have recognized the incredible value of consumer data, preferences, purchasing history, and so much more. Today, data is more valuable than any other commodity — probably even more than oil.
The flip side of all this is that consumers and regulators are beginning to recognize the importance of data privacy in this context. There’s a real sense of “If it’s my data, it’s my asset, and I need to know what you’re collecting and who you are sharing it with.” We have seen a lot of regulations come into play to address this, including the EU’s GDPR as well as California’s CCPA, which was recently updated to include more privacy options. This is forcing everyone from retailers to publishers to re-think how and why they collect personal data; they have to move away from simply gathering everything to being more strategic about it. At Tala, we’re really excited to be working on privacy technologies that will benefit both the enterprise and the end user — we’ve developed techniques to help enterprises identify which vendors and third parties on their website can access, read and share sensitive data. This not only helps businesses build a better understanding of the types of data they’re collecting, but also gives insights into potentially risky sensitive data exposure.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
There’s no such thing as ‘one-size-fits-all’ for people and their careers. I believe the most important thing is to know your strengths — and your limitations — and be able to recognize when to step up or step back, maybe even change direction. It’s also a real advantage to have a mentor who can be a sounding board when you’re stuck.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
Businesses are directly responsible for the protection of all sensitive customer data. Regulations like GDPR and CCPA require you to map all data flows within your applications along with accountable parties as well as the lawful basis for data collection. A breach could cost millions in regulatory fines — not to mention remediation, reputational damage and lost business. Most enterprises collect large volumes of sensitive customer data via web applications and third-party code integrated into their websites, such as online forms, marketing analytics and chatbots. At the point of entry in the browser, sensitive information is susceptible to third-party exposure as well as inadvertent sharing of information.
Typically, data governance teams have processes in place that address third-party risk management and website compliance. However, maintaining checklists and constant auditing is tedious and has significant long-term operational gaps.
Detecting real-time data exfiltration on the web and tracking online behavior of third parties requires thorough, automated detection strategy. When it comes to web applications that handle sensitive data, every website owner should be asking the following key questions:
- How well are we scrutinizing these apps and their behavior?
- Who has access to what data, and what is the level of access? Are they sharing this data further and with whom?
- What kind of rules or controls to block potential exfiltration or data theft do we have in place?
- How are these controls enforced and is this manageable on an ongoing basis?
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
Definitely. Legal requirements evolve, but the basic principle of privacy is to make sure that access is only granted on a need-to-know basis, and data is not retained longer than necessary. Organizations that take privacy seriously make sure that they clearly outline what kind of data is retained for how long, together with sufficient rationale for the specified timeframe (as the GDPR puts it, collection should be ‘proportionate’). That being said, there are some categories of information that might need to be stored longer due to tax, accounting, regulatory or other reasons and businesses should make sure that they communicate this to their customers.
In the face of this changing landscape, how has your data retention policy evolved over the years?
I think it’s absolutely critical to understand what regulations and legal frameworks apply to your business before you draft your policies. We constantly keep tabs on new regulations that might impact our organization. As a general rule, we have focused on transparency with our customers and carefully making sure that we only store data that is in line with legal requirements and best practices.
Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?
We make sure that the data we collect is not accessible outside our critical infrastructure. Some of our customers might ask for access for their users from time to time, but we make sure we tightly control it. We use technologies like encryption, multi-factor authentication, integrity MAC etc. to limit exposure or unauthorized modification of any sensitive information. We only store data that is critical for us to continue providing our services to our customers and we always communicate this to them, along with the controls and choices they have for deleting or controlling access to that information. How long we retain data depends on customer preferences as well. For example, if they wish to delete all information about a web application, we’ll delete all data within a specified time period. We’ve also implemented controls for customers to archive their data.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
As a data security and privacy platform, we take privacy very seriously and this has led to us internalizing the privacy-by-design concept in all our processes concerning data. There are tons of regulations being drafted by states across the US and countries around the world that will eventually result in an international standard for data privacy. Most organizations are still struggling to maintain checklists and auditing procedures so their ability to embrace automation and adopt privacy as a business goal will determine whether they can remain compliant with upcoming legislation and ensure privacy for all their customers.
In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?
Data retention has become increasingly complicated, mostly due to the sheer volume of data that organizations are required to manage. Many solutions have attempted to automate this process. In my opinion, the market is yet to mature and we’ll continue to see new solutions emerging to address this need.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
I think that, in the wake of the high-profile SolarWinds attack, the cybersecurity community — and industries in general — have started paying more attention to the concept of supply chain attacks and the risk posed by third-party code integrations on websites. At Tala, we’ve been saying this for a long time — almost two-thirds of the code loaded into the browser today (tag management, analytics libraries, form builders, audio/video integration, social media, etc.) is fetched from a third party. Attackers have been exploiting this vulnerability for a long time and it’s the right time to be vetting your third parties as well as installing security controls that give you visibility and control over how they interact with your mission-critical applications.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
- Map your online customer journey: What are the places where your customers enter information that can potentially be sensitive, either by itself or in the right context?
- Inventory and document data collection activities by third parties: Taking stock of where the data is going can help organizations take early steps to restrict unauthorized access to data on websites and monitor third-party integrations on a ‘need to know’ basis. Data inventories and maps provide an understanding of your risk profile and help you fix flaws proactively.
- Evaluate and monitor your vendors: The SolarWinds attack has brought the third-party risk management problem to the forefront. Do vendors in your supply chain have the right processes in place to ensure data integrity is maintained? Do they really need access to this data, and how compliant are they? It’s time to move beyond vendor questionnaires and actively monitor your vendor’s security posture and interaction with your website.
- Focus on ‘privacy by design’ as opposed to compliance checklists: To fully mitigate risk, organizations should secure all data present on their servers, cloud applications, containers, endpoint devices, networks and web applications. Traditional solutions help meet the majority of compliance and auditing requirements — but cannot provide assurance for the data present on your website.
- Implement security measures to prevent data breaches: Sensitive data exposure is #3 on the OWASP Top 10 web application security risks. Taking adequate security measures to ensure that data on your website is protected from unauthorized access can go a long way towards preventing fraud and fines for non-compliance. These measures include web security standards like CSP, SRI and HSTS — all of these have been developed and advanced by industry experts, specifically to address this problem. It’s important for the security teams to work together with privacy teams in your organization.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I would definitely inspire people to pay more attention to the information they consume on a daily basis — terms like “post-truth” and “fake news” have become increasingly common in our social discourse and we should definitely be avoiding deceptive narratives on media and social media.
How can our readers further follow your work online?
You can find me on LinkedIn at https://www.linkedin.com/in/aanandkrishnan/
If you want to learn more about what we’re building at Tala, please visit our website : www.talasecurity.io
This was very inspiring and informative. Thank you so much for the time you spent with this interview!