As we transition to a data-centric world, data is becoming more vulnerable. Startup Fluree believes the answer lies in more closely integrating storage and security, to the point where they are symbiotic.
Fluree co-CEO Brian Platz discusses the concept of data-centric security and letting data defend itself—and why it’s so important in 2019.
ITPro Today: Your company is based on the premise that the traditional approach to data storage and protection doesn’t work well anymore. Why?
Platz: Today, data doesn’t just talk to one application. It talks to many—sometimes hundreds or thousands of applications. And data today is available to multiple customers, applications and partners. So the old approach to storage, which worked well in the app-centric world, doesn’t work as well in today’s data-centric world. We’re struggling to figure out how to solve data security in a world where we have introduced a lot of vulnerabilities.
ITPro Today: What do you mean by letting data defend itself?
Platz: If you can embed data security with what you’re using to store the data—typically a database—you’re essentially letting the data defend itself. It requires creating data security rules for every application that is distributing information to the data, and keeping everything in sync. If you have multiple applications talking to the same database, for example, those data security rules can be reproduced identically across every application. As a result, queries will dynamically filter the data based on the user connecting to the data. In other words, it’s about using a tool to store managed data that has everything you need to allow users to connect to it without having to worry about leaking data or having invalid updates.
ITPro Today: As opposed to having separate tools or systems for storage and security?
Platz: Exactly. All of the data security is coded into the application tier, which has the root access to the database. If put the security and the data-centric rules alongside the data being stored, you have centralized the security around the information, and it will automatically be changed and updated as needed in one place.
ITPro Today: How would the data-centric rules work?
Platz: In our platform, you can write code stored as data that can create rules to enforce the security around it. Essentially, we’re providing a programming language to embed right in the database that controls access, and the code you’re writing itself is also treated as data, so it’s managed with the same security as the rest of the data. And we actually store and manage the data as a blockchain, which brings a lot of integrity to the information. You can’t possibly manipulate the data without detection. You can’t even change a period in historical data without it being flagged as having been tampered with.
ITPro Today: Can organizations find ways to integrate data storage and security without buying a specific solution like Fluree?
Platz: Sure. The main way to do it is through APIs. That’s the way most of us share data today; we build an API. The issues are that APIs are rigid, which lends organizations to creating a lot of them. It’s easy to end up with hundreds of APIs very quickly. But building and maintaining APIs can be expensive, not only to build and test it but to maintain it, because your data rules and what you’re storing and managing changes. If you want to change the security rules around your data, or you are storing more or less data or storing data differently, it changes everything. You have to know every single place where code has been written that enforces security around the information and update it at every one of those places in the identical way.
ITPro Today: Are there any other options?
Platz: Facebook’s GraphQL is a way to address the problem of the explosion of APIs, and there are plenty of open-source tools around the GraphQL interface. GitHub, for example, now has a GraphQL interface, which can be used to replace multiple API endpoints.
ITPro Today: Are there other benefits to essentially marrying data storage and security other than the increased security itself?
Platz: Many of us have spent our whole lives being fearful of [data access], and we put layers of firewalls in front of our databases to protect the data. But this actually opens up the possibility that your database can be more valuable, because it has the proper protection. You can have richer interfaces where people can describe the data they want out of the system and it will come back in the exact shape and parameters that they described. They can just describe how they want the data, hit it once basically through this interface and get it.
ITPro Today: With all of these options, there is clearly a way around the data-centric security problem. What advice would you offer IT professionals on how to do it right?
Platz: Think about everything with a data-first mentality when building applications instead of an application-first approach. Think about applications as a portal into the data. This goes a long way toward increasing security, because you’re not maintaining security in as many places. It also reduces cost because you don’t have to build a lot of API endpoints. And it allows you to be more collaborative around your data with your partners and consumers. They can even update directly if you give them the permission to do so.