Illuminating your path to impact
Feb. 2, 2024

Data Security and Privacy with Ganesh Kirti

Data Security and Privacy with Ganesh Kirti

In this episode, Ganesh Kirti, the founder and CEO of TrustLogix, discusses the challenges of securing data in the cloud and the need for comprehensive data security solutions. He explains how the modernization of data platforms and the increasing...

Season 1 Data Security Privacy

In this episode, Ganesh Kirti, the founder and CEO of TrustLogix, discusses the challenges of securing data in the cloud and the need for comprehensive data security solutions. He explains how the modernization of data platforms and the increasing amount of data being stored and accessed in the cloud has made data security a complex problem. Ganesh also highlights the importance of security observability and granular access controls in protecting sensitive data. Ganesh emphasizes the need for collaboration between CISOs and CDOs and adopting interoperable and cloud-native solutions. Additionally, Ganesh discusses the partnership between TrustLogic and Snowflake and the role of AI in data security. He concludes by offering advice on protecting personal and enterprise data in an increasingly breached world.

Top 10 Topic Issues Discussed:

  1. Data security challenges in the cloud: Discussing the complexity and difficulty of securing data in the cloud.
  2. Data modernization and cloud migration: Exploring the trend of companies moving their applications and databases to the cloud.
  3. Data access and collaboration: Highlighting the need for secure data access and collaboration among employees, partners, and contractors.
  4. Lack of security expertise: Addressing the challenge of implementing effective access controls and security measures without specialized security expertise.
  5. Security observability: Emphasizing the importance of monitoring and identifying data risks and vulnerabilities.
  6. Remediation through access controls: Discussing the need for implementing least privilege access controls to mitigate data risks.
  7. Data classification and tagging: Exploring the benefits of data classification and tagging in securing data access.
  8. Complexity of data platforms: Addressing the challenges of securing data across multiple data platforms and cloud providers.
  9. AI adoption and security concerns: Discussing the security implications of AI adoption and the need for protecting AI models and data.
  10. Importance of comprehensive security programs: Highlighting the need for a comprehensive security program that includes monitoring, detection, and protection measures.

TrustLogix is a sponsor of the Candid CISO podcast. Visit their website at: https://www.trustlogix.io/candidciso

Visit https://www.candidciso.com for show notes and more episodes. 

Candid CISO is produced by Nonconformist Innovation Media.

Transcript

John D (00:00.646)
to the races. Alright, thanks Steve.

Steve (00:02.72)
in your life. Have fun, gentlemen.

John D (00:10.095)
Our guest today is Ganesh Kirti. I've known Ganesh for a number of years throughout his security product and startup career. And I'm looking forward to a good and candid discussion today about many things, including tracking and securing your data wherever it may be, especially in this world of multiple cloud platforms and different data science platforms and things like that.

We will even hit upon some of those AI and machine learning topics before the end of our podcast. So hang on in for a great and candid conversation. Welcome Ganesh. Can you tell us a bit more about yourself, your journey here in technology and security, and just briefly about trust logic. We'll touch on that some more here later during our conversation.

Ganesh (00:51.512)
Yeah, hey John, so excited to be here and thank you so much for inviting me. It's an honor chatting with you today. And I've known you for a while, you're one of those guys, I think that you're proactive when it comes to security and you help collaboration, that's, you're one of those guys I know in a long time. So it's really honored to be talking to you today. On my background,

John, I've been doing security a long time. It's been 20 years, been building security. That's my passion. That's the only thing I have done in my career, building security solutions for customers. Had an opportunity to work on, back in the days when single sign-on was just coming up in the industry, implementing single sign-on solutions for as the web applications become popular, and that's the worst. And I come from that background and...

spend a lot of time at Oracle building multiple security products, including in the identity management and data security space. This is my second company as a founder. My first company was a cloud security company. I was one of the two co-founders, Palera. We built cloud security solution, which ended up becoming the CASB. And we got acquired by Oracle, so I spent some time doing the Oracle CASB, a part of the Oracle Cloud Security

Since then, I've been focusing on trust logics. Here we are focusing on data security, and it's a very, very hard problem. Talk about that in a second, but one of the things I found, John, working on data security back in the days, 78 years ago, securing data, or actually database, and on-prem applications, especially for financial companies.

Securing access to data is very, very hard. Implementing access controls is very, very hard back in the days. And doing that with a high performance, it's a microsecond performance, right? It is very, very hard. And we used to solve those problems back in the days. And then when we looked at the cloud, how the data is used in the cloud, it's became very, very complex, the problem. And then, you know,

Ganesh (03:17.788)
I was working at Oracle, working with the companies and customers there. Many times we used to hear from customers telling us about their concerns about data within their businesses and how data is moving into the cloud. And then they were asking for solutions. And I didn't see any good solutions, making this access control the hard part of working in the cloud. And it became very complex. So that's really the foundation for us to start this company.

You know, talk about more as we get into the discussion. Yeah, that's, that's my long background.

John D (03:54.426)
So, thanks for that, Ganesh. And one of the reasons I thought you'd be a great guest here for the Candid CISO podcast is we've had many candid conversations. In fact, going back to those Oracle days, one of the things that I really liked about kind of the team that you were part of there at Oracle is that they had a great customer advisory group.

or CAB, right, customer advisory board. And you guys led us kind of in, not sure if they actually had microphones in those rooms or not, but we had some closed sessions where we could get together and talk about our problems, not just kind of about the products. And I think that's one of the things that, you know, security practitioners are always looking for. How can I learn from other people who may have solved a few things? How can I give back in some of those different areas? Speaking of giving back, it's interesting, of course, that, you know, you went off and started a...

a new company there and then it got spun right back around and acquired by Oracle. So I guess, you know, sometimes they tried to pull you right back in.

Ganesh (04:48.312)
Yeah, that was not by design. It's just a coincidence. We were solving some real complex cloud security problems. And we thought there's a good energy. And at that time, it made sense and became part of that. It was great. Oracle is a great company. Security is a top important Oracle takes for the customer. So working part of Oracle security group has been a great experience for me.

John D (05:30.038)
You're kind of with your tribe, but that also points to one of the big problems that we see kind of in how we secure and make sure that, you know, customer data is private and things like that, which is the siloed nature of different organizations. So, you know, I was there with, you know, different heads of security or identity and other things like that. And we all knew what the problems were, but, you know, there was still a CIO somewhere else, there was a head of engineering somewhere else. These are all people you need to, to work.

with and it's one of those challenges that people don't like to talk about so much except in the quiet rooms. So I think it's a great candid topic. So I guess one of the questions I have for you is how have you seen your customers and other people, how do you collaborate? And in the data world, you've got your chief data officer or CDO, you have a CISO, you have a CFO who cares about the financial side, you got the legal guy trying to make sure all the data is private. Both kind of operationally and organizationally.

How have you kind of seen these problems and what can we do to solve some of it? You know what I mean?

Ganesh (06:33.72)
Yeah, no, this is a great question. This is a hard problem as well, John. What we see is, stepping back, if you look at what's going on in most of the companies, is there is a data modernization. Many companies have taken cloud first strategy. It used to be the cloud preferred before. Now they have taken cloud first strategy as part of that over the next three to five years.

you know, these large companies, enterprises are moving hundreds of applications, hundreds of databases from on-prem to cloud. And as part of that, you know, they're not just doing a lift and shift, but they're modernizing, you know, these data platforms as they move to the cloud. And cloud makes it easy for them to leverage the infrastructure and the cost and performance and, and these businesses are moving data and they're building data links and data warehouses, moving their databases into the cloud, transactional databases, including

and building analytics and machine learning models, AI applications. All of these applications needs data. And there's a lot of sensitive data coming into the cloud. And this data sprawl is happening across multiple platform data lakes and data warehouses. On top of that, there is more data. And as business is going, their customers are going. And the more data is coming into the cloud.

And more people are looking to access data within that company, their partners and contractors. On top of that, employees are looking to access data and are working from home. Wherever they want to be productive, they want to get access to data, including the sensitive data. While all of these challenges are coming in, now businesses are trying to move fast. They want to get the data out. They want to gain insights from data. And they're not really thinking about security from early on. And then

Now that there is a CSO organization, privacy legal organizations, they are left alone now. They are left on their own to figure this out. They want to get visibility, but they're not experts in data. On top of that, the data architecture is completely changed in the cloud now. There is a separation of the compute and storage that's causing massive scale of data, companies like Snowflakes and Amazon Redshift and Databricks and Google Cloud.

Ganesh (08:49.568)
they have made it so easy, so much scalable. The traditional tools that security teams have don't work anymore for this modern data architecture. So there is a challenge for security folks and privacy and legal folks to understand what is going on. At the same time, there's a CDO, they are trying to leverage the business opportunities and getting the data out and then using the data and getting the data sprawled to...

get data used, you know, there is the siloed nature is happening today. That's what we see. You know, the CIOs and CTOs are trying to do things to make sense. CISOs are not, you know, collaborating. What I think we need to do, John, is, you know, when we spent six months before we started TrustLogix, we really wanted to understand what is the best way to secure this data and there is a lot of chaos with these CTOs and CISOs doing their own things.

We think that there is a methodical way is required and there is no real industry standard today for data security in the cloud. Every data vendor like Snowflake and Amazon, they have their own data security implementations. There's no reference architecture out there. So now if you look at that problem, there is a real new approach is required to solve this, comprehensive way for securing data. And then you need a tool that brings both C source and CGOs together in collaborate.

and then look at the data security from the same angle and help data consumers get access to data. That's really what Testlogix is all about. I'll stop there John and see any questions there and before I go into details, right? That's really the hard problem that you're getting.

John D (10:33.634)
Yeah, and I got a couple places I want us to take our conversation today, but you know, I did want to start out with the people, right? Because especially as technologists.

we often kind of feel like, oh, I need a tool or I need this. And a lot of times, you know, some of the fundamental problems are organizational or, you know, kind of really people driven. And it seems to be part of that still with kind of how things are siloed. You know, what's interesting to me is, you know, this whole new ideas around observability, both for operational and security needs, uh, data access governance, you know, there were kind of issues back when everything was in one big database or, you know, the ERP system and the CRM system and even

You know, so they were on-prem first, then they were in the cloud. Now things seem to be kind of going back and forth in different areas. I guess I do want to talk about data classification, but before we go there, I guess how often when you go in and talk to kind of, you know, new customer and prospect, then, yeah, how, sorry, hang on a sec. I'm getting some stuff. We'll cut this one out.

Steve I'm like at 10 on the channel So you want me to drop it down or let's see Yeah Yeah, it's like it's like up all the way sorry, okay Where was I yeah, so okay, we'll cut it back here and so The real the question I was trying to get out there is

Steve (11:46.64)
Oh, in the picture it was at four. Just, yeah, have it eight, nine, 10. Yeah, if it's already at 10, leave it there.

Okay.

John D (12:07.634)
So when you go in and talk with new folks and you help them with discovery and things like that, how often do you discover kind of the five side data science projects that were going on that have critical data in them versus, you know, Hey, everything's exactly where we expected it to be.

Ganesh (12:23.536)
Yeah, you know, that's really where we come in. And you know, that's one of those challenges with the cloud, right? You know, it's very easy for data engineers, data scientists just spin off, you know, new container, new database and start moving the data. You know, and you do want to at some point encourage productivity. John, you want to let people, you know, go, you know, use the data, you know, that's really what, you know, data engineers and data scientists are supposed to be doing.

And you don't want to put controls on the data and then create a friction to them. If you create a friction, they're going to go figure it out. Some other ways using shadow IT, ways to get access to data. So you do want to give that productivity concerns. Let them use the data. But you want to take an approach where, I believe, that risk-centric approach.

You want to keep discovery of data access. By that, what I mean is, where is data and who is accessing the data? What type of access controls are on the data? Who has been given the access to what? And what are they doing with that access? Do you have any data that is not even protected, that's sitting in the cloud? Is there any dark data? By that, many times what we see is

data engineers, data scientists just copy data from production and then they start doing some projects and then they get it done, they move on, but the data is left aside and that creates additional risk. So the data discovery, data access discovery patterns is, we believe that you start that you don't need a huge classification project for you to secure access to data, for example. So you can start with observability.

by simply looking at your clouds, multi-clouds, AWS and Azure and Snowflakes, looking at that data and then looking at people, what they are doing, and then start putting together risky usage of data. Start looking at any data that is unused or any access people have granted to, but not using it. One of the big things we see, John, is the lack of security expertise.

Ganesh (14:45.564)
DBAs and data engineers, they just grant everything to everyone that causes their many administrative user accounts in the system.

John D (14:54.84)
Why would anyone do the wrong thing with this data? I'm just trying to solve problems, right? You know, they don't think like attackers. If you're an engineer or a builder, it's often really hard to kind of, you know, have that mindset, right, Ganesh?

Ganesh (15:04.856)
Yeah, yeah, so I think that's why I think it's important that you have that security observability, start with that and then understand how data is used and who is using it and then start putting, AI driven recommendations to start remediating any, any risks and any compliance violations and then start building it out and it's very dubious. So we take it to high level, two step approach, one is a security observability, basically try to understand the risk.

And that helps the C source and legal advice people to, even though they are not the data owners, they are accountable for data, they start getting visibility into the risk. And then they can start looking at recommendations, perhaps the vendors that they are using can provide and using that, they can collaborate with the data owners. Now, they can now go back to their business teams and then tell them, look, I'm seeing some data usage, which I don't expect it should be happening. Let's go fix it.

Now, it's not just there. Now you need to give them the tool to de-mediate those as well. It's so complex, you know, if they have to go fix in each other's database. So coming back, you know, to kind of tie it back to your question, you know, the security observability, we believe that, you know, is important aspect. Even if you don't have classification, it's okay. But if you have classification, you can use that and make it more intelligent.

but you could simply start with security observability and start building out your data security program.

John D (16:37.907)
I think that's a great lead into kind of what I wanted to talk a bit about. And you know, this is a controversial thing. Almost every security program I've been involved with, especially for folks who come out of government, they know the whole kind of, you know, non classified secret, top secret, compartmentalized.

group around it. Here's public data, here's sensitive data, here's highly sensitive data. And trying to drive that type of classification, even getting people to use the right spreadsheet templates and PowerPoint templates and presentations and stuff like that has always been one of those challenges over time. I mean, I guess, especially in this era where everything lives in the cloud or it's moving that way for folks that aren't there already, do we need tagging still? Is tagging something that humans should be doing? Maybe we'll come back to that on the AI and

front, kind of the last topic I want to make sure we hit up here. But, and I think you guys had some thoughts around this as far as the dirty little secrets around data tagging and maybe what you've observed.

Ganesh (17:35.564)
Yeah, so, you know one of the things we learned is talking to you know, many companies is you know There is a aspiration early companies wants to have a good data classification, you know But that needs you know collaboration between the business teams and as the data is coming in It's sometimes these programs are very hard to implement. It's they're not successful so what

And then on top of that, there are vendors like Snowflake and Amazon, they're also providing built-in classification capabilities now. So, it depends on where your maturity is, where your data program is, depends on that you could start without classification. And as I mentioned, Security Observability can help you right there to get to the security program started out. But also,

If you are using some of the data platforms, you should leverage the automated classification that's available and then tagging. So certainly the tagging will definitely help, especially if you have a huge data sets, you have a lot of data teams within the company, and you want to have a central data management program, the tagging and classification really helps there so that.

different data consumers can look for what they're looking for. They can discover the different data sets using the tags on the catalogs. But from the security perspective, we can also leverage the same tags and make it more intelligent. As you talked about the confidential data, privacy sensitive data, right? From the compliance wise, if there is a tag already available, absolutely helps to leverage that.

But we think that many times companies make it overly complex and classification solutions are typically a lot of false positives. And you don't have a deal and then block yourself waiting for a good classification to be in place.

John D (19:40.753)
So, so you recommend kind of the, the keep it simple or KISS principle, you know, the last, last S can stand for a number of different things there, keep it simple assignment or something else like that. So what you, you kind of recommend that people go down that path and make sure they're at least covering kind of their.

regulatory and other hard needs, but also take advantage of some of this, this new capabilities for classification. I think that's part of what I'm hearing from you, right? Well, I want to pivot a little bit to kind of something that is often comes up, especially in areas where it's kind of new, and that's the whole build versus buy, right? And so I guess to start us off here, maybe I'll go back with a little scenario and then we can talk a bit more about that one.

Ganesh (20:04.048)
That's exactly right.

John D (20:25.31)
As you know, I've been at CISO at a number of different organizations. I'm currently working with a very early stage startup. And we see this kind of stuff in the areas that we're trying to target. And for a lot of times, and it seems like this was the case in data security, kind of before the whole DSPM moniker came up and some of the other analysts getting into the mix, the CISO would go and say to the chief data officer or the head of engineering, hey, don't roll this out until you can make sure that this customer data is going to be protected.

And for our sake of argument here, let's say that they're doing a big push into Europe, so now GDPR is gonna be a much bigger issue, which is still something they needed to handle before. So the CDO turns around to his managers and directors and says, fix this problem. They turn around to the data engineers and say, fix this problem. And they're data engineers, they like to build things. So, you know, generally someone will go and build that, and that engineer that built it might leave, maybe they open source part of it too, so there's some...

You know, tools that you can use, maybe it's entirely internal, but, um, I guess that the question there, and, you know, I know you're coming from this, the solution and vendor side of things. How often do you come across people who are replacing kind of, uh, some home grown tools with your platform or other things like that, and, and does that really kind of, does that meet your observations as well as where kind of the CISOs just says, go fix it. And then, you know, the engineering team says, well, we know what to do. We build things, right.

Ganesh (21:53.432)
Yeah, John, I think it's a very common discussion that we have. And this is nothing new. This has been there for even back in the days when we used to build entitlements products for on-prem applications. We used to run into the same discussions. So it depends on, in my mind, depends on the company. How big is your company? What sensitive data you have? And then,

how many data sets, multi-cloud is given for us. And then, as I mentioned, on average, we see 10 to 15 data sources within a typical small business unit of a given company. So when I say data sources, these are a combination of data lakes and data warehouses, analytics tools like Tableau, Looker. You have machine learning, platform, like Databricks, like tools. They're all used.

by these data teams to build solutions. So now your data is spread across all these data platforms. So you can now build in a siloed way using, all these platforms are good. They have native capabilities. You as a data engineer get excited to write Python code and write some SQL scripts and then you can start building it out. In a siloed fashion, you can do that.

But then, when you start looking at from the security and risk perspective, you are dealing with a siloed way of doing all these things. So you don't have a central way of getting visibility. That's one, that's security observability I talked about. And then, once you know the gaps, how do you go to immediate that through the right access controls, least-pulled access control. So if you look at multiple data platforms and trying to build it out.

It's very, very difficult. It's very hard. Data engineers are supposed to be focusing on data and then help businesses to make money. That's what they do, right? And building the security is not their expertise. So I think that's where we see, when we do POCs with our customers, they think that they have everything within few days after they run the POCs because...

Ganesh (24:14.288)
they see ineffective access controls. What that means is people are given access, they are not even using that. There is a data leakage happening already that they did not even know that existed. That's just one example. I can go on more other examples, but we do see this, you know, DIY, if it's a small linear environment, maybe it's okay. Or if you have 50 engineers dedicated for security, if they're all security experts.

Maybe you can go build it out, but not every company has that security expertise, so many people. You know, and then you want to be able to really look at the future, next three months, four months, six months, that operational, you know, chaos, right? You don't want to bring that in. So you talked about businesses are expanding. Today, you are working in the US. Now you're expanding into EU region. So your data is now moving to the EU. There is a stringent regulations. So you want to have a solution.

that scales as a business scales, as data sets increases, as number of views try to access data. So I believe that the company should look for options out there, look for a solution that is perhaps interoperable, that is perhaps cloud native, that is less risky for them to use without creating an overhead for them.

John D (25:33.479)
I'm definitely hearing some good thoughts for folks kind of around the

you know, build versus adopt versus buy. And that's generally kind of the things you have, which is definitely some companies and you think of the large financial groups that have kind of, you know, these large groups of engineers that go and work on a project and move on to the next one. And some of that's their competitive advantage, but it seems like some of the basic plumbing and wiring, you know, you should be using your talented engineers for the things that are core to your business. And so I guess I'd like to hear a little bit more about kind of TrustLogix and the platform there, but before we go there,

You know, I think that you know what you're bringing up is Whatever solution you go and look with you know, you will often find a lot of things that you weren't expecting Even if you went in and say hey, I just want to make sure that this new project like we said in our Theoretical one someone's expanding it to Europe Well, hey if you go and do a survey you may find that like you said these last six projects someone left data Abandoned and what are you gonna do with that because that's still potentially sensitive

and regulated data in some cases that you are on the hook for still, even if it's not kind of in your production environment, kind of back to our whole discussion on silo teams. So I guess I'd like to hear a little bit more about TrustLogix, kind of, you know, where you guys are at and where you see that platform, kind of how does that help, you know, folks, your customers so that people have an idea once they start thinking about these problems, you know, if you're someone they may want to come and get in touch with.

Ganesh (26:58.5)
Yeah, you know, John, you know, our mission at TrustLogix is simply to make that hard problem at Octoboard, you know, access controls and securing data in the cloud, make it easy. You know, that's really our mission. And then, you know, as part of that, what we do is, you know, we look at, you know, the data sprawl and the complexity of, you know, data access controls. And then, you know,

doing it in a more comprehensive fashion. So as part of that, what we do is we do two things for part of our platform, part of our multi-cloud data security platform is one is the DSPM you touched on that, the security observability and then identifying the risks, monitoring continuously, identify poorly granted access, unprotected data, privacy violations, data sprawl,

data moving out of your warehouses into public buckets like S3s. So we're looking for various activities as part of the DSPM solution. So that's step one. As part of that, we provide recommendations. Once we discover data misuse or data risks, we provide recommendations. So part two is remediating those risks automatically through least privilege access controls.

You know, Gartner starts talking about DSPM, you know, there is a word that is used called, you know, data detection response. You know, you know, there are all the new terms coming up, but we have been doing these things for the last two and a half years. You know, that remediation is access controls. You know, we know code-based access control policies. We automatically create access controls, including RBAC, ABAC, and various capabilities. So that's the second part of it. You know, first is the DSPM, and then the second is...

the granular access controls. And we do that across multiple data platforms within AWS and Snowflake and various other data platforms. The multi-clouds, and then there is no proxy. We never touch the data of customers. It's kind of really a very highly scalable architecture without touching the data and then 100% interoperable. By that, what I mean is we natively integrate with all these data platforms.

Ganesh (29:24.368)
so that there is no overhead for our customers. So our adoption has been great John, we've got financial companies using us, we've got marketing technology companies, we've got some services companies. When we go in there, it resonates very well and it's really, it's very great to see us going in and helping out these customers, keeping their data secure and then helping them focus on their business and reducing their.

productivity and, sorry, improving their productivity by reducing their operational scars and then security risks to them.

John D (30:01.656)
I heard you speak about Snowflake a number of times, and most people who do any type of cloud applications or work in the cloud know of them as one of the big data platforms. There's obviously many other from all the big cloud platforms as well. But I do want to dive into some things on AI and maybe some stuff that came out of that Snowflake conference that you had. But before we get there.

You know, one of the things that you definitely see is that, you know, people are in different platform stores. So like, you know, there's the AWS or Amazon marketplace for, you know, running your apps on AWS. I'm sure Google has something. Microsoft has, you know, things on as your snowflake has one. And I guess I'm kind of curious, um, as to what drove you to kind of make that investment, to get into their store. And, you know, is that something that has kind of worked out well?

maybe those data engineers that live in those platforms would then see you as a potential solution and kind of bring it their way rather than having it be imposed by the CISO. I guess I'm just kind of curious, as far as being in marketplaces for different platforms, how has that worked out for you guys?

Ganesh (31:05.956)
Yeah, you know, we are a multi-cloud data security platform. So Snowflake is one of our, you know, supported platforms and we are a design partner to Snowflake. We are part of their Accelerated Governance Program. We have test validated certification with Snowflake. So we collaborate very closely with the Snowflake team to ensure that our solution for Snowflake customers is complimentary and...

does not create any friction for our customers with basically snowflake in our customers. So that has been working out great. And AWS, we are in the AWS marketplace as well. And we are AWS partner, helping out Redshift and RDS customers with the data lakes in AWS. It has been a huge need for these companies that are not doing this data platform. So...

being there and then helping out these customers has been working out great for us. And the marketplaces just happens to be, you know, credibility, right? You know, we work with these vendors and, you know, they have certified with us. And it just kind of gives additional confidence and, you know, peace of mind for our customer that we are a certified partner, you know, by these vendors. You know, the Snowflake itself is concerned, you know, you talked about, you know,

We see the customers of Snowflake using data and sharing data. It's one of the top use cases is they have data marketplace. And data sharing is very, very important for these customers. These customers like financial companies, insurance tech companies, marketing technology companies, they collaborate with their customers, and the data sharing is happening. And then it's very important for them that the sharing is happening in a secure fashion.

And we help them with that. And we help them take care of that compliance and security while they focus on building that data shading and building their data applications in Snowflake.

John D (33:14.597)
Thanks. That's helpful.

John D (33:19.202)
Um, so, you know, obviously snowflakes become one of those conferences where the, the kind of data engineers and other folks that are, are builders are, are around, I think you mentioned, um, uh, when you and I were speaking a little bit earlier ahead of this podcast about, um, they changed their keynote to deal with AI, I mean, with the whole thing with large language models, chat GPT, you know, uh, Google's and everybody's kind of getting into the mix with, with different services here. Um,

Did you really see a change around that with AI? And then I've got a few questions kind of in there that we might want to dive into, kind of as far as people thinking about AI and their data.

Ganesh (33:57.828)
Yeah, you know, recently coming last week for the Snowflake Summit and there was also Databricks Summit the same week. You know, we were all there in the Snowflake Summit. It's really a great place to meet data practitioners, data engineers and data architects. It was a very high energy conference. We enjoyed it. Doing a lot of in-person meetings.

Yeah, AI was one of the biggest focuses Snowflake is putting in, and obviously it's very natural now where things stand. So they've announced various AI-centric platform extensions and solutions. They also announced in addition to AI, the partnership with NVIDIA, where they're going to run AI models offered by NVIDIA in the Snowflake cloud.

It's exciting. Now developers can write applications in Snowflake, leveraging those AI models and deploying them in the Snowflake. In addition to that, Snowflake also announced various application category capabilities, containers. Now we can deploy containers in Snowflake. It's really good to get momentum on the Snowflake side. And then the core of all these things is security. As you're bringing more and more data,

you know, running AI models, the data is coming in, there is data is moving across all these applications and sharing is happening across these different services. You want to make sure that, you know, your security is also part of the core adoption, not after thought. So that's where TrustLogix has been partnering with Snowflake ensuring that, you know, we integrate security capabilities into those new extensions.

So over the next few months, we'll be working on those extensions as well.

John D (35:57.576)
I think it's really interesting. And you said it is across kind of all of the major kind of mega tech platforms and then kind of the data platforms like Databricks so if like other ones like that as well.

You know, one of the things that I think is really kind of interesting and we probably have a whole nother podcast, you know, worth of topics on this one, which is people are using. People are using these different large language models and other constructs. Sometimes they have a private model sometimes they're using some of the public ones like we've seen with people using you know, chat GPT and you know different models that they have and other folks as well.

You gotta be concerned about the data that people are putting in there. I mean, there's a whole nother policy set of things that, like I said, will have to address some way. But if we talk about this, I see it's both the same problem you had around David governments, but it has a whole new set of issues. Are there any kind of ones you want to talk to you kind of address on this one or tell me what you think, Ganesh?

Ganesh (36:54.936)
Yeah, from the enterprise perspective, the AI adoption is happening, and in the next few years, it's going to be the top concern from the security side. So the way we are looking at is the multiple use cases that we look at for the asset. One is all coming from the enterprise side. The many companies out there are building AI models now. These are all the model providers. And they spend a lot of time building these models and techniques.

and they offer these models to their customers. Now, different service consumers use these models to build their AI applications. So you want to make sure that those AI models have the right security, right entitlements around them so that there is no inappropriate usage is happening of those models and there is a monitoring and auditing is enabled for those AI models so that the model providers can protect their IP.

and then ensure that only authorized consumers of models are using those models. That's one. The second is within the AI applications, data is moving. Institute data is coming in. Your AI techniques and machine learning techniques are using the data to come up with predictions. So you want to make sure that data, there is a privacy PIA associated with that. Do you anonymize that data or do you...

How do you de-identify the data as appropriate? So there's a lot of challenges around that. And then also when you present that information back to the consumers, as part of the prompt responses, do you show that real data, there's a PIA associated with that as well. So there is a security and privacy concepts that we need to embed as part of the application, as part of the responses that are happening.

So we are looking at that from that angle as well. So we've got techniques already, masking identification, de-identification, and some of those techniques. It's just a matter of integrating as Snowflake and other data platform vendors start building out these applications. So embed these capabilities as part of their consumption. So those are the couple of use cases that we are thinking of. In addition to that, our own platform, we leverage AI within our own.

Ganesh (39:23.508)
We have recommendations in Gen, and we have our own experience of using this AI model. Hopefully, we can also help our customers in understanding some of these AI models and some of the security concerns that we had to deal with our own customer's datasets. We'll be sharing that information as well. It's probably a different topic altogether, but those are some of the tasks that we are working on at this point.

John D (39:47.403)
I think that's good and that should give some kind of nuggets for a few folks that are there listening to us here today and may want to see where they go to next dealing with AI and data. I guess I'm going to ask one last kind of candid question in keeping with our

our title of this podcast. Are there any lessons that you've taken kind of from this professional journey dealing with data security that you've applied to your own personal life or maybe things that you tell your kids about and things like that? I know I put you on the spot here Ganesh, but tell me what you got.

Ganesh (40:19.012)
Yeah, the world we live in right now, you've got to assume that you're going to be breached. You're going to have your information out there and publicly. You just have to make some assumptions around that. And then given that, you need to make sure that you protect yourself. This applies to individuals as well as to the companies.

Ganesh (40:48.752)
access controls in our world that we're talking about also have a good monitoring solution in place. And then, both, not just the detection, but also the protection, right? So, have both solutions in place. And it applies to kids, whether they are using, nowadays they are using a lot of TikTok, and the Google, and searches, a lot of stuff happening. They gotta protect their identity, they gotta protect their privacy there.

and using the right password wallets there so that you protect your passwords and not share your information. Some of these things are just the basic foundation that you have to apply. And for enterprises, as data that we see, it's given, data sprawl is given. You have to assume that data is gonna move across multiple clouds, multiple data platforms. So given that multi-clouds and multi-clouds data platforms, you got to really put together a comprehensive security program. And then you can do that. You don't need to have a very large investment that you can just start with simple observability, start understanding, get visibility into what's going on, and then start taking care of, you know, step by step. So, you know, it is, it is tough, but I think there is a lot of help there. And, you know, happy to talk to any of your listeners and provide.

guidance, how we are doing with our customers, and then our own experiences as well.

John D (42:23.26)
Hey, I appreciate that a lot. And Ganesh, thank you so much for being a guest here on the Candid CISO podcast. I think we've had some...

Great topics that we've explored today and people will have some thoughts thinking around this. And definitely for anyone listening, reach out to us. We're happy to connect you both with Ganesh. You'll see him inside the chapter information here as well. Otherwise, a great discussion here on data security, maybe both for your personal touches as well as well as for your enterprise. All right. Thanks a lot, Ganesh.

Ganesh (42:56.24)
Thank you, John. It's great talking to you.

 

 

Ganesh Kirti Profile Photo

Ganesh Kirti

Founder & CEO

Ganesh is a security solution innovator and entrepreneur and has built multiple security products successfully used by thousands of enterprise customers. Most recently, he was the Co-founder and CTO of Palerra, a Cloud Security (CASB) company acquired by Oracle.