Vikram Shrowty remembers when he was an engineer, building the first Data Loss Prevention product at Vontu/Symantec.“Back then,” he says, “The biggest fear a chief information security officer had was that someone would copy confidential documents to a USB drive and walk out with it. Data protection was all about protecting the perimeter. Data belonged on premise and you built tools to help keep it in there. And a 500-meg zip file was ‘big data’!”
Since then, two major computing trends turned this scenario inside out: data explosion and the rise of the cloud.
The “big data/hadoop” hype cycle came and went, but companies continued to stockpile data at accelerating rates and across a variety of cloud repositories. Vikram observed that just about everyone struggled with analyzing this data for lack of a tool that could automatically redact sensitive customer information. So that’s what he initially set out to build.
The Prototype and a Surprising Result
The first iteration of Divebell was a data ‘auto-desensitizer.’ “The prototype,” he says, “had a wizard with two steps: Step one would detect sensitive data, step two would desensitize it. Most people who saw it would fixate on step one.
This surprised me at first, but over time, I understood why detecting sensitive data got so much interest. Most organizations are sitting on enormous quantities of data in hundreds of repositories, both on premise and in the cloud, and people in data governance, privacy, and information security have very limited visibility into it. This creates enormous risk for the company. It’s an inversion of the old perimeter-defense use case. Now it’s about sensitive data inside the company: Where is it? How old is it? Who has access to it? Why?”
And the problem keeps getting harder. “It’s like entropy,” he likes to say. “Entropy only grows and data only proliferates. People kept asking me for a product that could help manage this proliferation. I kept hearing, ‘'Make me a product that is easy to deploy and manage and gives me observability into my data ecosystem — across clouds and across structured and unstructured data. If you can do that, it is a game changer.’”
He also realized that this lack of visibility created cascading challenges. “Take for instance the regular ‘access audits’ that companies need to do. How do you make sure that people don’t have access to the data they shouldn’t, when you have twelve thousand tables in a warehouse and very little idea about what kind of data is in them? Similarly, privacy regulations require companies to conduct privacy impact assessments when an application’s personal data footprint changes. Without visibility into application databases, there was no way to know when that change occurred in the first place.” The list only grew as Vikram worked on his prototype and talked to seasoned information security and privacy professionals.
The Dream Team
“So that’s how Divebell started,” he says. “We realized people needed a solution that discovered sensitive data accurately, was easy to deploy, and scaled well. And when it came to securely, efficiently, and accurately analyzing petabyte-scale data, we had a dream team of people who had been doing this sort of thing for decades.”
As for the name of the company? It’s a great little metaphor for what the product actually does. “A diving bell is an enclosure that divers use in their exploration of the dark and murky depths,” Vikram says. “And Divebell is software that helps you locate your sensitive data amongst the murky depths of your data ecosystem.”
Any opinions expressed here and statements made are not legal advice, nor representations or warranties, and are intended to promote discussion around technology and data protection.