Reducing data protection to data loss prevention not only obscures the real problem but also hampers the search for systemic solutions rather than Band-Aids dictated by attacker behavior. At SineWave, we look for data protection technologies that not only prevent intended recipients (a.k.a bad guys) from accessing or corrupting your data, but that also prevent intended recipients (a.k.a good guys) from accessing data that is not meant for them, from using that data in unintended ways, or from accessing data in unintended circumstances. This is what is meant by a zero-trust approach to data: the system allows all and only those forms of access that are approved. With zero trust data protection, the data becomes the perimeter, and policies are defined down to the data layer. An architecture that supports zero trust data protection enables new ways of working and collaborating that were previously too risky to permit.
We at SineWave also realize that data protection must extend over all aspects of the data lifecycle. At rest and in motion, as traditional solutions allow, but also in use, which as is enabled by confidential computing solutions. The early popular manifestation of data-in-use protection is the data cleanroom which enable collaborators to compute on shared data without ever being exposed to the data itself. However, this just scratches the surface of confidential computing, and a robust confidential computing platform can open new data use opportunities.
SineWave has invested in several companies that reflect this commitment to zero-trust data protection and confidential computing. Interestingly, none of these are classified as data loss prevention companies, but they all provide robust data protection throughout the data lifecycle.
Fluree: Fluree enables intelligent data. Intelligent data has its provenance embedded inside. You can verify exactly who created each fact or assertion, and every change. It is tamperproof, if any datum is ever accessed or changed, you can see who did, when and roll it back if needed. It is also self-describing. So that people, systems and algorithms can understand what each data point means, and can make reasonable inferences from it. Access control is also embedded directly inside the data. Finally, intelligent data enables “Zero-copy” distribution. Data is decentralized and virtually available without physically moving it or having to create copies for each consumer.
Dymium: Dymium protects your data by providing access to ephemeral policy-enforcing data structures rather than to the data itself. Users and collaborators don’t get a free pass to the whole store, but rather are served up the all and only the data which they are permitted to see. In doing this, Dymium leaves data where it is and in its native format in with no changes to the data infrastructure. It dynamically applies universal access policies while leveraging existing IAM and applies policy-based data transformation by identity-type. It also creates complete audit trail so there is full accountability for data access.
Operant: Operant brings real-time, in-line defense of all data-in-use, across every interaction from infrastructure to APIs. With automated redaction of sensitive data, zero instrumentation, and zero code changes, Operant fortifies cloud-native apps, fostering the cyber-resilience needed for secure, scalable development. Operant also provides Identity and Access Analytics, including analytics on broken permissions, identities and roles, prevention of risky and leaky data access, and fine-grained access timelines for machine and application identities
Anjuna: Anjuna enables the enterprise to easily create a Trusted Execution Environment (TEE). It abstracts the instantiation of a TEE (secure enclave) to isolate data, code, and secrets. Anjuna Seaglass also virtualizes modern CPUs and cloud infrastructure services to offer hardware-enforced isolation that protects from unauthorized access by users or software, regardless of privilege level. Anjuna users can encrypt data in all three states: at rest, in transit, and in use. Secure sensitive workloads by ensuring that data is always encrypted. Anjuna Seaglass implements a confidential runtime to enable data-in-use encryption inside the TEE, and control at-rest and in-transit encryption to prevent vulnerabilities as data leaves the confidential computing environment. In addition, Anjuna authenticates the identity of your code. Users can create a high-trust environment by ensuring both infrastructure and applications can be trusted before they are allowed to boot. Anjuna Seaglass uses a cryptographic attestation policy manager to orchestrate the secure distribution of secrets to applications inside the enclave. Finally, Anjuna enables enterprises to secure apps across clouds without rework. Users can run and manage all applications, traditional and cloud-native, on all the leading public clouds (AWS, Azure, Google Cloud) without requiring code changes and using a consistent operational model.
With solutions such as these, we no longer need to focus on data loss prevention, but can assure fine grained protection of data across a variety of existing and emerging use cases.
