0:00:06 Max Havey: Hello, and welcome to another edition of Security Visionaries, a podcast all about the world of cyber data and tech infrastructure, bringing together experts from around the world and across domains. I'm your host, Max, and today we're diving headfirst into the world of unified security, and we have two guests that are both pros on the product side of things. First up, we have Sinead O'Donovan, Vice President of Product Management focusing on identity and network access at Microsoft. Specifically, Sinead helped launch Microsoft's security service edge product portfolio. Sinead, welcome to the program.
0:00:41 Sinead O'Donovan: Thanks, Max. I'm super excited to be here.
0:00:46 Max Havey: Absolutely. And then additionally, we have Eliot Sun, Vice President of Product Management at Netskope, where among other things, he has led projects around Netskope's, API enabled cloud security portfolio. Elliot, welcome to the show.
0:00:58 Eliot Sun: Yeah, thanks for having us, Max. Really excited to be here as well.
0:01:01 Max Havey: Yeah, absolutely. Well, let's dive in here. I know we're going to talk about unified security, but I think it maybe makes sense to start first in defining what is currently un-unified about security. And so Sinead, I wanted to pose that to you first. Can you sort of take us through what's un-unified about security and sort of define what that problem looks like?
0:01:21 Sinead O'Donovan: Yeah, and again, I have a little bit of a biased perspective because I look at the world maybe from very much from an identity and network perspective, because I do think that access is the foundation of your security model. It's the basis in which you set up all your policies and especially you have to have a unique identity for the user and for the objects and for the agents. And so I think today we're quite fragmented. Identity and network are kind of two separate. It's really important that they're brought together. And then on top of that data is also super important element. And I know customers are really wanting this idea of a one policy engine, especially for DLP. So today we do have quite a bit of fragmentation and we're all working hard to bring us to this more unified view. And at Microsoft, we're focusing on the access fabric, which is what we think of identity and network together. And then 1D LP policy with purview,
0:02:19 Max Havey: Certainly. And Elliot, from your perspective on the data side of things, how does that function on the other side?
0:02:26 Eliot Sun: Sure, yeah. I think a lot of the problems with security being un-unified, especially from the sense of an operations perspective just comes with the simple problem that data is everywhere. It's all over the place. And this trend really started years and years ago with the consumerization of IT. Employees started bringing in their own applications, their own devices into the enterprise. And so the enterprise network really expanded very quickly into tons of different destinations in the cloud. And so data really just went everywhere and there was a lot of it. And in order to chase the data, security teams, they brought in a lot of tools and there was basically a specific tool to address each location and each resource wherever it may have gone. And so I think a lot of the security teams, they ended up with tons of purpose-built things to solve this problem. And I think just by the nature of having a ton of things, it becomes very difficult to unify your operations across all those disparate things.
0:03:35 Max Havey: Definitely. And I know the term unified data security is getting sort of tossed around a bit these days in conversations. So Elliot, could you kind of give us a sense of what exactly unified data security is and sort of break it down in a way that we can describe it to a parent, a friend, someone who's a little bit less tech literate than the three of us right here? Sure,
0:03:53 Eliot Sun: Sure. Yeah. So one of the ways that I kind of like to think about it is if you think of data as kind of your favorite toys and you're very protective of these things, you want to make sure that no one's going to steal that. In the non-unified state of data protection that we're in right now, it's kind of like you're living in a house, you store your toys all over the place. You might have some in your room, you might have some in your parents' room. Let's say your grandma, your grandpa also live with you. So there might be some things in their room. So you go to each owner of these rooms and you say, don't let the bad guys steal my toys that are in this room. But grandma, grandpa, mom, dad, they may not necessarily be communicating very clearly between each other because thinking about your favorite toys is probably not the highest priority on their list. So the bad guy, generally, let's say your younger brother, he really only needs to find the easiest place to break into in order to steal your toys. And it's probably going to be dad. So I'll go to dad and he'll say, give me access to this toy. He's going to take the toy. So because your toys are all over the place, right? It's really hard to check in to make sure that your toys are where they are and see if there's anything missing. But let's say in a unified state, you keep all of your toys in a single place. Let's say you have this really awesome, big, strong toy chest, all your toys go in there, it's got one big strong lock and only you and the person that you trust most with a key to it, that's probably mom, know how to get into this chest. So your brother is not going to be able to get into this toy chest because the lock is really strong and your mom, the most reliable guardian of your favorite toys, is not going to let 'em break into that toy chest. So in a unified state, it's much easier to take an inventory of what stuff you have, know where it is, and know the exact security status of your toys at any given point in time.
0:06:03 Max Havey: Excellent. Well, and Sinead, given those sorts of examples there, do you have anything else that you would add to that from sort of the identity trust networking side of things?
0:06:14 Sinead O'Donovan: Sure, yeah, I think there's maybe a couple of, maybe extra dimensions. And I'll just keep this toy analogy going. And you also need to think about, sometimes you might have a little Trojan horse happening here. And so I think you do need to think about do you have an insider risk as well? Maybe your brother has brought over a friend and that friend is going to take that little toy and put it in the bag and take it as well. And so I think just being aware that just because you're able to get into those rooms, you have to consider that also that not everyone is trustworthy in that sense. And so that's why I think it's really important to go back to the principles of zero trust and to think about your perimeter and think about all the paths where that data can move to. And that's an important dimension to think about as well in that larger data security story.
0:07:13 Eliot Sun: I totally agree with that. I think identity plays a super key piece here, especially, let's just say an example where there might be a brother that you like that you're willing to give access to your toys. So the identity check to make sure that, okay, is this the right brother that's asking for access to the toys? If it is the right brother, yes. If it's not the right brother, no. And then perhaps also to Shanae's point, I think the zero trust network access philosophies really apply here where let's say you trust one of your brothers now, but perhaps there's some kind of behavioral anomaly. He breaks one of your favorite toys, it's no longer getting access from that point forward. So I think identity is a very key piece in this story.
0:07:56 Max Havey: Absolutely. And to take things a little bit further here, Elliot, I want to talk about states of data at rest, data in motion, data in use. With that in mind, where are some of the main disconnections where you're seeing things as it applies to sort of a unified security approach from the data side?
0:08:14 Eliot Sun: So I think in the same way that data is in a lot of places, data also exists in a lot of states in a lot of contexts. So I'd say not even at rest, in motion, and in use, I think those states are really important, but there's additional context about data as well. Even if it's in, let's say an enterprise application, an employee could be using perhaps a personal instance of an application that is sanctioned. So there's also this concept of personal and corporate instances of applications where data is going. But I think specifically for those states, at the end of the day, you really need to have the same engine that's inspecting and classifying that content. If you use different engines for each of the different states, then you'd have to write a different policy for each one. So then you have disparate policies, and then you still probably will get inconsistent inspection results because the way that every single classification engine works, you may end up with different results inspecting content that maybe should be resulting in the same kind of results. And so I think there's a lot of challenges here, data at rest, there's just so much data in a lot of different places that's kind of just sitting there. With data in motion, there's a ton of destinations everywhere, whether it's cloud apps, whether it's websites, email endpoints, et cetera, that data can be transmitted to. And then data in use becomes very, very interesting. I think especially in this age of AI and agentic use and access of data, there's a lot of missing context from the cloud or other destinations about how is data actually being used there. It may not be in motion, it is sitting there, but how is, let's say, as an example, an agent using that data, is it using it in different ways for different workflows or LLMs that have access to that data? Is it being used for training? Is it being used for inference? So that's becoming, I'd say, one state of data that is especially challenging in the IH and something that you'll definitely want to do deep inspection for.
0:10:29 Max Havey: Certainly. And Sinead, thinking about things from the identity and trust side of things, what are some of the gaps that you would sort of point out when it comes to a unified security strategy? What should folks be sort of keeping in mind as they thinking about that in sort of a similar way?
0:10:43 Sinead O'Donovan: Yeah, maybe building a little bit on what Elliot said. I like to use this idea of these three Cs, and the first C is context, and I think that's super, super important. So it's like who's the user and group? Where's the destination? So it's what's the application then that's being used? What's the different risk levels? And so that's kind of a key factor that needs to be considered. And then the second C for me is kind of the channel. And this is like, okay, where is the data? So it's in rest. Okay, where is it? Is it protected there? But then is it in motion? Then there's a different set of things that come up. And then the third one is actually about the content itself. And again, Elliot mentioned this, and I also think about just because we're looking at everything from identity a network approach, there's the protocols matter, but also what the user is trying to do or the agent is trying to do, is it upload, download. And so that would be the thing I would think about. And so as you're bringing it all together? I think you need to think, you need to have a really good approach to both discover the data and understand it, but also then set kind of a one DLP policy because at the end of the day, the data is the crown jewels and all of that details doesn't really matter, but if your sensitive data gets into the wrong hands, then you failed. And so you have to think of it holistically. And I kind of go back to that zero trust approach. It's super important and get to that least privilege mindset. And then adaptive access control also. So maybe the, and the deep content inspection is critical. You don't understand the content or the activity unless you're able to look deep into the data flows.
0:12:28 Max Havey: So we've done a lot of talking about the what's around unified security, but I'd like to dig a little bit further into some of the tangible examples around the why's. So Sinead, what are some of the top line benefits that you see when it comes to a unified strategy?
0:12:45 Sinead O'Donovan: We're in the moment in time where customers have bought individual tools and then they've spent enormous amount of time trying to stitch them together. And when you have these unique tools, there's always an opportunity for seams to occur between them and attackers love that. That Brother's going to find that weakest link and is going to exploit it. So I think the real reason on the why is you want to take more platform approach to this and have something that's already integrated because at least then you won't have the seams. And I think the benefits that you'll get is there are many facets. One is it'll be more comprehensive. You'll have one place to focus, you have one sense of alerts, and you'll make your team more operationally efficient and you'll be able to assess the different risks that you have also, and just especially in a time of AI where everything's going to get even more fragmented.
0:13:42 Max Havey: Elliot, is there anything that you would sort of add to this conversation about the whys around unified security as it relates to the data side of things?
0:13:51 Eliot Sun: I think when we think about data protection teams, they have a lot of goals, but I think two of the biggest ones that they have is one, prevent any kind of data exfiltration events happening to their organization sensitive data. And then two, ensure that they're compliant across the board to any data industry compliance requirements. And so in order to ensure that that's happening across the organization's data landscape, and again, it probably sound like a broken record already, but going back to what I said about data being everywhere and data being in a lot of different states, you can't just protect a single state or a single destination. You really need to protect the entire landscape. And so in order to do that, and I actually still hear this with a lot of customers today, they'll think, oh, okay, I have an inline product that is protecting everything in real time. So if they see risky actions, I block it. So my organization's completely safe. There's no need to scan out of band data at rest or data in use because I'm locking down stuff in real time. But if you think about this from a compliance perspective, if you see in real time there's users trying to send sensitive data, let's say into Dropbox or into SharePoint, then it's very likely that there's already sensitive data sitting at rest in those services. So if you only have data protection for inline real time and you're not scanning the stuff that's at rest already, you're already out of compliance. So you need to be able to secure data in all the destinations in all the different states. I think another benefit from an operation standpoint is actually being able to answer really quickly in detail when a CISO asks the question, where is our most sensitive data and can we prove that it's secure? Again, if you don't have that coverage everywhere in all the different states, you may be able to answer that question in each of the silos. Okay, in this destination, is my SharePoint configured correctly? Is there no PII in my employee's SharePoint accounts, yes, but are you doing that with OneDrive or Teams or Dropbox or Box or whatever, all the other cloud applications? So that's another benefit of having unified solution is you can get answers very, very fast. And then the next two that come to mind I think are just general security benefits of proactively being able to identify and reduce risks before things happen. I think that's another thing that's kind of overlooked with realtime protection, where real time is actually very reactive. You don't take an action until you see the action happening, but there's potentially a lot of risky things you can prevent from even getting to that point. So having a unified data solution really paints that picture of the entire landscape of potential risks for security organizations. And I think finally, once you're able to identify these risks and you get all the context, then you can respond a lot faster and you can mitigate these things and mean time to detection, mean time to response are very important for security organizations.
0:16:55 Max Havey: Certainly something that ultimately leads to a more proactive approach versus that kind of traditional reactive approach.
0:17:02 Eliot Sun: Correct. Yeah.
0:17:04 Max Havey: Well, and with all of that in mind, I know you threw around a couple of different metrics there, Elliot, what are some of the key metrics that you think organizations should be considering when it comes to measuring the advantages of having a unified approach like this?
0:17:17 Eliot Sun: Yeah, I think I'll cheat and I'll use the last few things that I just mentioned and say mean time to detection, of course, mean time to response, I think a lot of security efficacy is really measured on that. And so being able to react very quickly to a breach and fix it and how long is that going to take? Unification really dramatically lowers that time by providing all the context that you need from all different places in a single place. And to the point that Sinead made earlier, it's not just about understanding the sensitivity and the classification of a single piece of data, but you really need to understand how that single piece of data is related to your entire landscape of enterprise resources, whether it's the user, what device they're accessing that data from, or what application that data sitting in. And then now with AI, you care about what LLMs is that app using and what data was that trained on? What data is it processing in production? So there's this really big map of enterprise resources that you really don't get unless you have a unified solution that is pulling all that context from all over the place and putting it into a single place. And what that results in is much faster, mean time detection and mean time to response. I think a couple other things that come to mind. One is data classification coverage. So if you have data everywhere, you really want to know how much of that data you're covering and really understanding. Policy exception rate I think is another big thing. How many false positives are being generated and how often you're actually blocking a user from doing their job. They may not be doing something risky, but you're blocking them from doing their job. And so we really want to prevent that from happening. I think a lot of the times we, and Sinead, you probably will relate to this in security, a lot of what we talk about is preventing things from happening and securing things, but we're also in the business of enablement, enablement of safely adopting tools safely using AI. So we want to make sure we're allowing the employees at organizations to continue being productive just in a safe way. And I think the last thing that comes to mind when it comes to unifying data security is total cost of ownership. I think budget is always something that is top of mind for security organizations and the finance organizations, they have to work with. With a unified data security solution. What this is going to allow you to do is really simplify your security software bill of materials. You can remove a lot of these point solutions and replace with a single unified platform. So you're not only saving on the licensing, the licensing costs of a lot of things versus one thing, but then also the operational costs. You now only need to train your team on a single solution versus many different solutions and operationalizing those.
0:20:13 Max Havey: Totally. And Sinead, any other sort of metrics that come to mind from your end that Eliot didn't cover in his answer there as it relates to identity and networking in that side of the house?
0:20:25 Sinead O'Donovan: Eliot was very comprehensive, so that was awesome. But I do think about user friction. I think that's a very important, we're all about employee and user productivity, and so really being mindful that we don't want it to interfere with productivity and most users are actually good. They might make mistakes. And so I think just thinking through how much friction you're introducing there and how are you enabling them, whether you're coaching them to do the right thing. So the only other two I would talk about is, you want to think about the productivity of your data security team and your SOC as well. So if you're creating a lot of alerts and a lot of like, "Hey, you've got to investigate this user and that user and I saw this flow not working," then they're not going to be very efficient and they might miss something too. So I do think this idea of false positive false negatives, or two other very, very important metrics and that whatever solution you're using is really catching the things it should and it's not interfering with the users or in making your data security team overworked and missing key risk factors.
0:21:42 Max Havey: Certainly the kind of thing that no security team wants to make things harder for their team, it's about enabling folks versus blocking them from doing the things that they need to get their job done. So it's keeping all of that in mind alongside everything that's helping the security team there. Thinking in sort of the same vein here, Sinead, what are some ways that organizations need to change in order to make a unified strategy work? Does this require or lead to adjustments in the operational side of things? And if so, what does that sort of look like?
0:22:13 Sinead O'Donovan: Yeah, I get this asked a lot and usually when I meet with CISOs and CIOs, I always say to them, you start with really a strong identity foundation. So I ask them, have you decided what's your primary IDP? And go a little deeper because and where's your source of truth on apps? Where are you sourcing? These are all the apps that are in use. These are my users and groups, these are all my devices. This is critical baseline. And then I also think I encourage like, "Hey, you really need an access fabric," which we're sort of saying identity plus network is the perimeter. I sort of say that's another super important base layer. And then you've got your data security which kind of sits on top and the data security is working in concert with these other, and then obviously you have your endpoint controls as well and your cloud controls. So when you're looking at the unified picture, I kind of sort of say, well, what is your unified access policy? And I guess at Microsoft we are always talking about conditional access, but then I also say, then you go to, well, what's your unified data loss prevention policy? Okay, so that's your purview, DLP. So we kind of layer it on and obviously some customers will have a mix of different things. And so you want open systems that will interact with what a customer has as well, and that they have embraced open standards and that different things can plug into because no customer is all one Microsoft or one anything. And so you want to make sure that what your new approach and your sort of maybe going platform approaches, it will meet you where you are and allow you to evolve it over time. I think that's super important as well.
0:24:02 Max Havey: And so Eliot, with that in mind, how do these changes sort of manifest when it comes to the data side of things?
0:24:08 Eliot Sun: I think from when I think about unifying and unifying a security solution and how this impacts the org, at the end of the day, I think about actually probably the bigger impact on the security organization and how that really needs to change in order to successfully utilize the technology, the powerful technology that can be provided by a unified tool. I think a lot of the times it sounds like a great promise. You have this unified tool, you just drop it in, it provides you visibility and it connects everything and services these actionable insights that then you do something about. But it is really not that easy. It sounds great, but it really does take a commitment and investment from the security organization as well. So if you have a siloed security org and a lot of security orgs are, there will be a network security team, there's going to be an identity security team, probably a database security team, et cetera, et cetera. And each of these teams have bought their own purpose-built best of breed products to solve very specific use cases in those areas. And so if you come in and you say, "Hey guys, we have this awesome unified security tool, now you guys are all going to use it," that's just going to fail. It's not going to work. Those silos in the first place have to be broken down, so there's some kind of reor reorganization that needs to be done, some thought that needs to be done there before you can drop in a tool and have everyone be successful. So I really think that unifying security, at the end of the day, it's going to force these teams to collaborate because they're all going to end up working from a single shared source of truth. And so I think these organizational changes, the evolution, and it doesn't have to happen in a day. This is the process, but it definitely has to be something that's deliberate in order for the unified security technology to help the team actually get their job done,
0:26:08 Max Havey: Certainly. Well, and as we're coming to sort of the end of this conversation here, let's do some hype warnings here. So Sinead, what are some non-negotiable elements of a unified approach that listeners should understand as sort of table stakes?
0:26:24 Sinead O'Donovan: That's a great question. I do think that a very important thing people may not be thinking enough about is how AI is changing everything. And we're really at this watershed moment where it's amazing. First of all, it's incredible what AI will be able to do for productivity and for how we build our products to how we find information, but also understand that we're going to have a new world of these agents and we think of agents as virtual employees even, and there will be more virtual employees than regular employees. So now you've got this sort of new you've got and apps are all going to change. And so you have this, I think from a hype perspective, that was one I would not, it's not overhyped I would say, but it's really important to think about how it changes the game and how the risks go way up and opportunity go way up. So that would be the really important part would be whoever, as you look at their approach is like, well, what is their AI approach and are they leading in using ai? Are they leading in securing ai? And is that a key focus of their offering? You might have a really good unified approach, say that did very well for yesterday's world, but maybe not so well for tomorrow's world, which it's all going to be about AI agents. So that would be the one I would say I would call out from a hype perspective is some people think AI is hyped. I think it's not in the case of data risks,
0:28:02 Max Havey: Certainly. Yeah, no, I think that's sort of one of the big risks that people need to keep in mind as we're continuing to move these things along. And Elliot, as someone on the data side of things, what are some non-negotiables you would recommend as well?
0:28:16 Eliot Sun: Yeah, yeah. So continuing off of what Sinead just mentioned, I think AI is definitely something that you want to look for in a security solution, both in terms of how they're thinking about securing it as well as how they're going to be using it. And in the data world, it's the same, right? Attackers are getting smarter, they themselves are using AI, and so we need to fight AI with AI. I also think that AI is a huge blessing for security in a lot of ways because it really lowers the talent bar in a way when you can build agents, you can utilize AI to make operating security software a lot easier. So now instead of having a team of 20 people, you could probably accomplish that with much fewer people. And hiring security has always been kind of a challenge. So I think this is a blessing for organizations of all sizes. I think one of the warnings, I would say the red flags is there are certainly a lot of startups that are promising agents that are going to be performing entire end-to-end workflows, security workflows. And I think that is something to be careful about and agents can certainly, in my opinion, the evolution of agents is still going to take a while. It'll take a while before especially enterprise organizations are willing to entrust an agent to basically represent a human and perform that entire end-to-end security workflow. But I do think that there's bits and pieces of it today where a human's workflow can certainly be enhanced and made easier and made a lot more productive with AI as something to help them do that. So I totally agree with Sinead on that point. I think a couple other red flags for me, I think in security, I don't know about other industries, but I feel like in security especially, there's always new buzzwords, there's always new acronyms. I think some of the ones that kind of bother me today are single pane of glass. And then I think there's companies that are looking for ways to say that in different words, whether it's Omni or 360 or something along those lines that indicates really comprehensive coverage. But if you dig into a lot of these vendors that are saying that, and certainly there are vendors that are backing that promise of single pane of glass, but if you really need to look behind that marketing and look at is this actually unified data security? Is this a real single pane of glass? Because oftentimes where you're going to find is that it's actually just a bolt on dashboard on top of 10 to 15 unintegrated capabilities. And so that's not unified. I think the other thing is breadth. So you really need to have breadth of coverage. If someone is saying, we provide this Omni 360 single pane of glass unified data security thing, if they're only covering a subset of applications or a subset of the states of data in motion, at rest, in use, that's not covering everything. And in order to really truly provide a unified data security solution in today's world, you have to have that breadth of coverage. And I think the last thing that's top of mind for me, I could probably go on for another hour, but I don't think anyone wants to listen to me talk for another hour. I think the area that Sinead is a subject matter expertise in identity and access, I think that is super, super key. That is something that I believe should be in every single data security solution because identity to me is that link between states. So in order to draw out context and be able to do that mapping of that entire data, landscape, data in motion, at rest, in use, and then across all these different data destinations, one of the key links in being able to build that map out and really get that context is identity. So I'm a big, big believer in identities, play identities, role in unified data security,
0:32:24 Max Havey: Certamente tudo, tudo está se encaminhando para o desfecho. Não se pode ter um sem o outro, e tudo funciona
holística para criar essa abordagem unificada. 0:32:34 Eliot Sun: Definitivamente.
0:32:35 Max Havey: Absolutamente. Adoro isso, e adoro que seja um ponto para encerrar esta conversa. Foi ótimo, e imagino que poderíamos continuar falando sobre isso indefinidamente, mas muito obrigada por participar, Sinead. Obrigado por dedicar seu tempo. É ótimo ter sua perspectiva em
à identidade e
networking. 0:32:53 Sinead O'Donovan: Obrigada por nos receber, Max. Foi maravilhoso.
0:32:57 Max Havey: Com certeza. E Elliot, obrigado por compartilhar
experiência no mundo da segurança
dados. 0:33:01 Eliot Sun: Sim, obrigado Max. Obrigada, Sinead. Sim, a conversa foi fantástica.
0:33:05 Max Havey: E com isso, você esteve ouvindo o podcast Security Visionaries e eu fui seu apresentador, Max. Se você gostou deste episódio, compartilhe com um amigo e inscreva-se no Security Visionaries na sua plataforma de podcasts favorita, seja Apple Podcasts, Spotify ou nas nossas New versões em vídeo no YouTube. Lá você encontra nosso catálogo de episódios anteriores e pode ficar de olho nos novos episódios que serão lançados mensalmente, apresentados por mim ou pelas minhas maravilhosas co-apresentadoras, Emily Wearouth e Bailey Popp. E com isso, nos vemos no próximo episódio.
){kind=icon}
