Data is a business’s most valuable asset, and protecting sensitive information is critical for any business. When I talk to IT teams, it’s clear they face tough decisions regarding how a vendor should handle their data.
A significant point of confusion is whether to “Extract and Scan” data by creating snapshots and scanning it in the vendor’s environment or do “In-Place Scanning” where scanning is done within the customer’s environment… or something in between.
Why Keep Data in its Native Environment?
When prospects ask me about the issues with the “Extract and Scan” model, my answer is simple: transferring customer data to another environment makes it susceptible to a range of security threats, even if it’s deleted after processing. Imagine giving a stranger the keys to your house – you might get them back, but you’ll always wonder what they did while they had them. Not to mention, you have to buy the gas they use, in addition to paying them to drive your car.
Data Exposure Risks
Some of the top data exposure risks when customer data is transferred outside of its native environment include:
- Vulnerabilities and Misconfigurations: New environments come with their own set of vulnerabilities and potential misconfigurations that could be exploited by malicious actors.
- Insider Threats: Vendor employees with access to sensitive data could potentially misuse it.
- Third-Party Risks: Outsourcing data handling to third parties can extend the threat surface through additional vectors such as supply chain attacks – and it immediately breaks the ability for the customer to prove compliance down the road.
Compliance and Regulatory Challenges
When customer data is transferred outside its native environment, it often crosses not just physical boundaries but also regulatory ones. Each industry has different regulations and standards dictating how data must be handled, stored, and protected. Failure to adhere to these regulations can result in severe penalties, including substantial fines and long-term damage to an organization’s reputation.
Customer-Vendor Responsibilities
From my experience, one of the most concerning issues with transferring data to a vendor’s environment for scanning is the uncertainty that arises once the relationship with the vendor ends. Customers lose visibility into how their data is managed or disposed of after termination. If a breach occurs, the affected organization is forced to reach back out to the former vendor to determine if the data they previously handled was compromised. This not only complicates breach response efforts but also raises serious concerns about data privacy and long-term security.
Why Normalyze Chooses to Scan Data In Place
At Normalyze, we were very intentional about designing our platform to scan in place. While we always offer our customers options, our standard is the in-place scanning model, and here’s why: By scanning data within its original environment, we minimize exposure to external threats, maintain strict control over security protocols, and ensure easier compliance with data protection regulations. It’s like having a home security system that never leaves your property – you control it, you trust it, and you know exactly what’s happening at all times.
Our patented One-Pass Scanner sits within customer data environments and scans data at scale (~1TB per hour) without extensive set-up or manual tuning – the spin-up, scale-out, scale-down, and tear-down of resources are all managed by the Normalyze platform. So, you get all the advantages of a fully managed SaaS deployment without any of the additional risks.
Enhanced Security and Reduced Vulnerability
- Minimized Exposure to External Threats: Keeping data in its original environment reduces exposure to risks associated with data transfers.
- Control Over Security Protocols: Companies can enforce tailored security measures when data does not leave their environment.
- Reduced Complexity in Data Management: Handling data within its native ecosystem simplifies the security model. By maintaining data within the customer’s environment, we ensure that organizations retain full control and visibility over their data lifecycle, eliminating uncertainties about data access, retention, and disposal.
Regulatory Compliance and Data Sovereignty
- Easier Compliance with Data Protection Regulations: Adhering to data protection laws is simpler when data remains in a single jurisdiction.
- Assurance of Regulatory Compliance: Organizations can maintain better compliance with industry-specific regulations by keeping full control over their data environments.
- Liability Risk: Keeping data in the customer environment reduces liability risk for the customer, as the security provider doesn’t become an additional liability.
Customer Confidence
- Building Client Trust: Clients trust organizations that assure complete control and protection of their data.
- Transparent Data Handling Practices: Keeping data in-house allows companies to offer greater transparency to their clients about how their data is managed and protected.
- Avoiding Additional Costs: This approach avoids the additional processing costs and uncertainties that arise from transferring data to an external environment, keeping our costs about a tenth of other vendors who have to charge for the processing power they use.
Operational Integrity and Data Accuracy
- Maintains Data Integrity and Relevance: Data within its native environment is less likely to experience corruption or alteration due to external processes, ensuring it remains effective for decision-making and operations.
- Contextual Security Analysis: Security measures can be more accurately tailored and effectively implemented when data is kept in its intended environment.
Data handling is a hot topic among everyone evaluating DSPM vendors so hopefully, this gives you some food for thought.
If you are moving forward with vendor evaluations, be sure to check out the DSPM Buyer’s Guide… but wait, there’s more: it comes with a handy Vendor Evaluation template. Download it now!