“Visibility can be achieved with no impact on performance”, With Jason Remilard and Manav Mital of Cyral

Visibility can be achieved with no impact on performance. In the old database world, database security meant two things: either agents or proxies. Both had their deficiencies, and both had a massive impact on latency and performance. However, there are ways to deliver stateless interception — and we’ve proven this at Cyral — to get to the same level […]

The Thrive Global Community welcomes voices from many spheres on our open platform. We publish pieces as written by outside contributors with a wide range of opinions, which don’t necessarily reflect our own. Community stories are not commissioned by our editorial team and must meet our guidelines prior to being published.

Visibility can be achieved with no impact on performance. In the old database world, database security meant two things: either agents or proxies. Both had their deficiencies, and both had a massive impact on latency and performance. However, there are ways to deliver stateless interception — and we’ve proven this at Cyral — to get to the same level of visibility and control with no impact on how quickly you can access your data.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Manav Mital, co-founder and CEO of Cyral, a Security as Code software company that helps teams observe, control, and protect their most sensitive data. Founded in 2018, organizations of all kinds — from cloud-native startups to Fortune 500 enterprises — have begun working with Cyral as they embrace DevOps culture and cloud technologies and find their existing security tools out of sync with a modern data layer.

Manav was previously the founder and CEO of Instart, a startup in the CDN space focused on improving web and mobile application performance, consumer experience, and security. Instart served notable enterprise customers and was acquired by Akamai.

Before founding Instart, Manav worked with Aster Data, where he managed the design and development of major components of their flagship product, including the core database engine and all query processing. Aster Data, a pioneer in the big data market, was acquired by Teradata Corp for 263M dollars. Aster is also where Manav met his Cyral co-founder, Dr. Srinivas Vadlamani. Before Aster, Manav was part of Yahoo’s Web Search team, where he helped in designing and building systems to improve search rankings by better web page classification.

Manav has a MS in Computer Science from UCLA and a BS in Computer Science from the Indian Institute of Technology, Kanpur

Thank you so much for joining us in this interview series! Is there a particular story that inspired you to pursue a career in cybersecurity? What attracted you to this field?

While we are building a product in the cyber space, the problem we’re tackling is really about inefficiency and complexity. I was born in a small town in India, where to heat water, I would have to use a wooden rod with exposed wires, which I had to plug delicately into a socket. Here in the U.S., you just turn the faucet and water comes out — that’s what technology does. There’s no question that the life of everyone who does data analytics, for example, has been drastically simplified over the last few decades. But security is still complicated like that wooden rod. And I believe that it doesn’t have to be.

Can you share the most interesting story that happened to you since you began your career?

The one that comes to mind is probably more on the “insightful” side. Earlier in my career as a software engineer, I always thought marketing was about gimmicks, cool words and bombastic expressions. Then I became an entrepreneur and at some point met with a marketing exec at the famous Printers Cafe in Palo Alto. He said something that stuck with me through all the years: marketing is about being able to simply tell a story that people will understand and remember. That conversation changed my perspective not only on marketing, but also on how I talk about the products that I build.

Are you working on any exciting new projects at Cyral right now?

All projects are exciting for me! But the one I keep thinking about the most right now is our company messaging and positioning. We’ve just hired our first VP of marketing, and we’ve been spending countless hours figuring out the best way to explain to the world what Cyral is. What we’re doing is new and unique — it’s not a next-gen version of an existing product. Something like this has not existed before, and we want to find a way to tell a story that will make people as excited about what we do as we all are.

What are the 3 things that most excite you about the Cybersecurity industry?

I always find myself grateful for being in the space where our work matters. Don’t get me wrong, there are so many wonderful technologies that make our lives better. And yet there’s something about cyber security that makes me feel about my work as meaningful and tangible. At least to me, there’s no better job than helping organizations protect what matters to them the most.

I may be an optimist, but I don’t share the doom-and-gloom sentiment about cyber security. I believe the industry as a whole is getting a lot of things right. And sure enough, breaches will be inevitable, but every day, we’re making the job of the bad guys harder, and the jobs of security practitioners easier.

I am very excited to see the adoption of Security as Code and DevSecOps. Making security a part of the proader engineering and development efforts has always been a challenge, but now we have the frameworks that have proven to work, and tools that make this work easier. We humbly believe that Cyral is one of these solutions.

What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share an example for each.)

When you think about data, think “value.” Data is everything that constitutes value to the company. For the vast majority of organizations, data is what fuels all their systems and keeps the business going. This value can reside in a database, data warehouse or pipeline. Expanding the notion of data beyond some number in a cell in some abstract database is absolutely critical as you evolve your approach to data security.

Data cloud is fundamentally different from its predecessors — application and infrastructure clouds. It’s faster, cheaper, more efficient and interoperable than anything you can have on-premises. It’s also a lot more multifaceted, heterogeneous, and hence complex. Every time a new type of cloud appeared, security had to be rethought. Organizations are only now starting to realize that with data cloud they are dealing with a completely unique security challenge.

Data security is impossible without the notion of identity. Identity is already a big part of the application and infrastructure clouds. Data cloud is unique, however — the same identity controls like SAML don’t work with modern data repositories. Once organizations make identity a cornerstone of their data cloud security posture, everything else — particularly things like observability and performance — will be a lot easier.

Visibility can be achieved with no impact on performance. In the old database world, database security meant two things: either agents or proxies. Both had their deficiencies, and both had a massive impact on latency and performance. However, there are ways to deliver stateless interception — and we’ve proven this at Cyral — to get to the same level of visibility and control with no impact on how quickly you can access your data.

Data security is a shared responsibility. This is something that will continue to be true by design. More importantly, Developers, IT, and Security don’t have to be at odds with each other — they just need to design their work around this necessity. And no one needs to reinvent the wheel here: things like DevSecOps and Security as Code have proven to work not just to improve security, but also to improve collaboration and speed. Don’t underestimate these practices — they are truly remarkable.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

One of the Chief Data Officers that I recently spoke with said it very well: especially after COVID-19, we are seeing significantly more new people using the Internet in absolutely new ways — to shop, to interact with government agencies, and even to receive healthcare. Think, for example, of the older generation that is embracing online shopping. For hackers, these new people are fresh blood, an easy target that can expose credit cards, personal accounts information — not through negligence, but through mere lack of experience. Not only can these people be an easier target — they are by definition an easier gateway to bigger impact cyber crime. Cyber security pressure is going to increase, and I encourage security practitioners to think long and hard about what their exact steps will be if all their identities have been compromised.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

What we see specifically in the context of data breaches is that the tooling and practices organizations have are not up to par with the challenges that they are up against. Sadly, the most common thing we see to this date is the basic failure to properly configure security groups when creating a new database, which results in exposed data endpoints. One common example of a poor practice is when all analysts share a single username or when multiple senior IT members use the same admin credentials. Another example is the failure to recognize basic abnormalities in data accesses — for instance, higher than average authentication failure rates or spurious MFA checks, which often signal that database password spraying is taking place. Finally, another common sign that something may be wrong is the constant invalidation in application queries or suspicious ad-hoc updates to catalog/system table, that are common in SQL Injection attacks.

What are the most common data security and cybersecurity mistakes you have seen companies make?

Too often, I see people confuse application and network security with data security. Remember, threat actors are really going after your data. Apps and networks are just the gateways to this data. That’s why when people read about breaches detected at the app and network level they get excited, and think that this is where they should start in thinking about their security program. In reality, attackers go through the pathways no one is even watching: they use your admin’s shared database credentials, perform SQL injections, and trickle exfiltrate data, for example. None of those things can be caught at the app or networking level.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

Absolutely yes. In fact, COVID-19 sped up some of the bigger trends like data democratization and digital transformation. Last year, you could work with these trends at your own pace. Today, you have no choice but to embrace them. This may not be the case for some cloud-first enterprises that have been on this journey, say, for a decade, but those are far and few in between. Take data, for instance — in order to make it readily accessible to your remote workforce, you’re probably diversifying your data footprint, using more tools and microservices to connect it, thereby increasing the complexity of your data cloud. Human mistakes like misconfigurations and exposed databases are bound to happen in this scenario. Our goal is to equip every organization with the right toolkit to fix this problem, and all we can hope for is that organizations become more aware of the true nature of the security gap they are dealing with.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

    Share your comments below. Please read our commenting guidelines before posting. If you have a concern about a comment, report it here.

    You might also like...


    “Comprehensive Cybersecurity”, With Jason Remillard and Kevin Grimes, Sr.

    by Jason Remillard

    “Making data-based decisions ”, With Jason Remilard and Balaji Parimi of CloudKnox

    by Jason Remillard

    “I’d like to start a movement for people to understand the concept of strategy. It can be applied to everything from personal relationships to careers”

    by Fotis Georgiadis
    We use cookies on our site to give you the best experience possible. By continuing to browse the site, you agree to this use. For more information on how we use cookies, see our Privacy Policy.