Database security startup jSonar, founded by Ron Bennatan, was recently acquired by Imperva, a leading cybersecurity company focused on data and application protection.

Transcript

Mitch Ashley: I have the pleasure of being joined today by Ron Bennatan, who is GM of Imperva Data Security. Welcome, Ron.

Ron Bennatan: Thanks. Glad to be here.

Ashley: Good to be talking with you. I’m excited to chat a little bit about data security. Let’s start out with, just introduce yourself, a little bit of your background. I know you had a recent event with your company, Imperva, and tell us a little bit about what Imperva does.

Bennatan: Okay, yeah. I’ll just start with what Imperva does. So, we’re a cyber security leader, we have over 6,000 global customers and we’re just focused on helping them protect data and all paths to it. And kind of what that means is, we have both application security products and data security products, both of them leading in those spaces.

But kind of the, our view is that, in order to do a good job around data security, you really have to look at this as a whole thing, otherwise it becomes, like, a blanket thing, right? You pull it to one direction and you expose yourself on the other side. Because data is—yeah, it’s very complex. And securing all data and all ways that people access data is a difficult thing.

So, like, for example, I could be—I could be really good at securing access to data from privileged insiders, but then you also get access through the applications. And the way that the data tier looks at things, it doesn’t see enough when it’s accessed through the application, so that’s a problem. And then if you do a good job on the application side, you know, maybe on bots and APIs, but maybe you also have insiders, and maybe insiders are different when they access it directly or they’re admins of the data tier or they’re admins of the application tier.

So, really, our view is, in order to do a good job, you really need to look at the whole access and all the paths to it.

Ashley: Excellent.

Bennatan: How did I get here? So, I’m a 30-year data-slash-security guy, so I’ve been both, kind of working on the data side, whether it’s a DBA or application side, but also on the security side.

So, I started my career in the military. I then worked on Wall Street for a while, areas around Sybase and Sybase security, Oracle and Oracle security. Then I was one of the founders of Guardium back in the early 2000s, built this database security business, got acquired by IBM, was the CTO of data security at IBM for a while. Last, founded jSonar, also in the data security space, and then a month ago got acquired by Imperva, so I now lead the data security setup there.

Ashley: You just keep getting acquired. I need to hang out with you a little bit more.

Bennatan: [Laughter]

Ashley: [Laughter] Going back to Sybase—wow. Yeah, I was a Sybase customer. [Cross talk]

Bennatan: [Laughter] You know, it’s still being used all over the place.

Ashley: Isn’t it amazing? Technology never goes away.

Bennatan: It never goes away.

Ashley: We just don’t talk about it as much as we used to. [Laughter] Well, you know, data security is such a fascinating topic. And I don’t mean this in a pejorative way, but it’s a bit like whack-a-mole, right? It’s everywhere and as soon as you think you’ve kinda gotten control over it, it pops up over here, sorta like that balloon that squeezes between your fingers, [Laughter] you think you’ve got your hands around it. And plus, it’s not a static thing, it’s growing and it’s evolving, it’s being used by different applications in different ways.

It’s a huge challenge. I mean, how do you even begin to tackle that from a data security company?

Bennatan: Yeah, so, I mean, first of all, you’re absolutely right. And, you know, we’re all security professionals, so to us, it looks like a bad thing, but before we go down that route, it’s actually a good thing, right?

I mean, the fact that it is so complex, it is because it’s just hyper efficient, right? The people who are building data architectures are amazing. They’re doing an amazing job. Because if you look at data architectures 20 years ago or even 10 years ago compared to what they are today, it’s just—it’s like, it’s like an immature baby compared to what’s happening now.

Ashley: Mm-hmm.

Bennatan: And it’s a good thing, because these are highly optimized systems, very diverse types of workloads, very diverse technologies, right? A database today is not even close to what it was 20 years ago. A data lake today is an amazing thing, okay? You know, it’s hard to even put your finger on exactly what it is, a data lake, when you look at, say, an AWS data lake or an Azure data lake or a GCP data lake. They’re amazing.

So, these are good things, right? Our applications are getting better, they’re getting faster. We can do, like, crazy things with machine learning algorithms doing analysis, telling us how to improve our lives, okay?

Now, as security people, we’re always playing catch up, okay? We’re always—these people are creating these things, and security is never exactly baked into that stack, although it is getting a little better or we’re trying to get it a little better. So, we are playing catch up, and it does create a lot of challenges on what it means to secure it well.

So, you know, the fundamentals have never really changed, right? There’s authentication, there’s authorization, there’s audit, there’s the notion of finding where the data is, classifying the—that stuff doesn’t change. What does change is the complexity of doing each one of those tasks.

So, if you look at—you know, even the first thing you kind of need to start looking at is, you know, find all your sensitive data and make a catalogue of it and know the lineage and—you know, 40 years, we’re doing the same thing. And it just gets harder and harder, because you look at one of these data lakes, you know, I think 10 years ago, when we were building a data lake or thinking of a data lake, we would think of, “Okay, we’re probably doing some kind of a Hadoop project,” okay?

Ashley: Mm-hmm.

Bennatan: Which, in itself, was complex enough as it is, because you’ve got, like, eight or nine different services running, each one doing something a little different.

Ashley: It wasn’t that long ago. I mean—

Bennatan: It wasn’t that long ago, but it’s dead, right? It’s [Laughter]—that part’s dead. Now, we’re building something which is infinitely more complicated. Because—like, I’ll give you an example. A lot of my customers are building things on AWS.

So, you’ve got this—it’s not like the data lives in one place, okay? You’ve got S3 buckets, and then you’ve got access sometimes from Athena, sometimes through Spectrum, sometimes from both. And then you have some DynamoDB or DocumentDB databases for doing transient things, and then you shove it into Redshift so your Tableau can access it. And then you have AWS Glue moving things around, and maybe you even have a Hadoop stack inside EMR for the landing area.

Ashley: You have data in databases inside containerized—

Bennatan: Yeah, everywhere. And then you say, “Well, how do I secure one of these beasts?” And so, yeah, it’s complicated, it’s risky, and we just need to keep up with these guys who are doing a good job with making very innovative architectures. And, you know, it would be great, by the way, if we could’ve baked this into the stack before they even started, okay?

Ashley: Mm-hmm.

Bennatan: But, like, I’m too old to believe in fairytales.

Ashley: You stopped chasing that rainbow, right? [Laughter]

Bennatan: Yeah. And we just do need to keep up with them. We need to keep up with them, we need—you know, because a lot of my customers are larger, and if they’re larger, then sometimes they’re regulated, somehow, or they need to adhere to something.

Ashley: Mm-hmm.

Bennatan: And certainly, these days, they’re all also troubled by all kinds of privacy compliance issues. So, we need to give them controls that they’re used to getting, you know, on the stuff that they’ve been building for the last 30 years on prem. And it gets to a point that the application team wants—you know, they’re ready. They finished everything, they’re migrating it up, and even simple things, not even complex things like cloud. They have an application using SQL on prem and they want to move it to SQL on Azure—simple enough, right?

Not really, because on prem, they know what their tooling looks like, they know what their controls are, they know what they’re doing with privileged access, they know how to scan, they know how to create the policy for defining access. They know how to manage—they know how to do change management around that policy. Now, they all move it to the cloud. Sometimes, those controls are there; more often, they’re not there.

And, you know, so, for example, one of the things that we view as being fundamentally important for us is to make that transition seamless, okay? Same controls. Different methods, different tools, different policy orchestration, but to them, it should look the same. If it looks the same, then when the app team wants to move it over, security stops being this bad guy that says, “Nope, stop. Okay, tell me what you did, here.”

I mean, we can’t be the bad guys, okay? We have to—

Ashley: Can’t be the cops, can’t be the roadblock.

Bennatan: Yeah, yeah. We need to help. We can’t keep stopping things. It’s just a bad, bad—bad dynamic.

Ashley: So, let me ask you. There’s so many dimensions to this and usages of data. So, is that one, instead of, like, getting ahead of all of it and designing it up front, which we wish we always could and doesn’t happen—is that the right approach?

I’m thinking about how do we do security right—is that creating the, whether it’s the tooling or the framework or the structure of how we secure data, making that consistent so, no matter the environment, we now know how to do it, and we can do it in a reasonably consistent way and know that it’s been done as opposed to, you know, n+1 for every environment that we’re in, it’s all different and it’s all complex and nobody can keep track of any of it, more or less secure it. Is that sort of getting our hands around this problem?

Bennatan: Yes, that is absolutely the one sentence summary is exactly that.

Ashley: A lump sentence, but [Laughter]—

Bennatan: A lump sentence. [Laughter] Yeah, yeah, because we need to—we need to abstract things out and hide the complexity, right?

Ashley: Mm-hmm.

Bennatan: We need—the fact that the data environment is so complex, it doesn’t change that if you go high enough, the problem statement or the what you need to do statement is the same, okay? The problem is that when you translate it to, “Okay, what actually happens?” then it tends to be different here, different here, different here.

But at a high enough level, it’s exactly the same thing. So, you know, what—if the environments are getting more sophisticated and the architectures are getting more complex in a good way, if securing them also gets more complex, then we’ve lost. So, what we need to do is make it maintain a single abstraction layer, and then do the magic that translates it into the individual changes.

So, it’s absolutely what we need to do. Now, some of this is a heterogeneous question. Okay, some of it is a heterogeneous thing where, you know, you have different silos and you know, historically, people have always looked at data as a bunch of silos.

Ashley: Mm-hmm.

Bennatan: Okay, there’s like the database silos, the big data silos, the file silo. That stuff gets blurred (a) because in the cloud, it’s very blurry, okay? Like, you can definitely say that S3 is a file system, okay? It’s an object store, it’s kind of like a file system, but then you slap a FINA on top of it, and that gives you SQL queries on top of that file store. So, is it now a file system, or is it a SQL database? What is that thing? It’s—

Ashley: And DynamoDB and now you’ve got a whole bunch of different ways of accessing and using that data.

Bennatan: Yes. So, that’s one piece of it. The other piece of it, which is almost the same sentence that you said, but semantically, it has a different meaning, okay? If you look at kind of the concept of data governance, okay, from—in the last 20 years, it’s always been, like, at the top, there’s things like policy and things like, you know, what are the business requirements? And at the bottom, there’s the tooling. And always, whenever you talk to anybody in this space, they always say, “Don’t start here, don’t start at the bottom by just implementing tooling, start here and then do this.” Well, I’ve yet to meet a single company that has started here. You always start here.

Ashley: When do you get the luxury, right?

Bennatan: Yeah! Look, part of it is just us people, okay? We’re—us people are problematic, okay? [Laughter] People can understand very concrete things very well, and therefore, we can go do a project that does this and we can do a project that does—and the vendor landscape has never helped, because products are like this and like this, so… And you go to the analysts, and the analysts say, “Oh, you need to pick one of these and one of these and one of these.”

So, you know, for many years, it’s been one of these, “Okay, nobody started here, everybody started here.” And then projects have operationalization problems. It’s not that, you know, tools have problems, it’s the fact that, even if a tool does everything it was supposed to be doing, it gets hard to operationalize things. And then you start looking at it and you say, “Okay, within these silos, there’s actually no difference to operationalize things.” It’s the same thing, okay? You need the same processes, you need the same decisions, you need the same policy push down.

So, why are we doing it six times? Why are we not doing it one time? Well, we’re not doing it one time because we didn’t start here. And so, over time, you know, I kind of gave up on people starting here and assumed people would always start here. The question is, that abstraction—can you now take work that you’ve done within any one of those silos and leverage that in order to create that kind of in the middle, like a single control layer, okay?

Ashley: Mm-hmm.

Bennatan: I mean, a single control layer that then uses those tools, but creates something that is, you know, consistent. And if you start creating something that is consistent, then you’re not, you know, you’re not balled into these silos. And then when you’re—when you get some of these more kind of advanced architectures, you know, you’re not screwed, because you didn’t create something just for this silo and this silo and this silo.

Ashley: And then you know that all the bases are covered, too, you’re not having to do a unique process or solution for all the checkmarks you’ve got to put in place, and who knows if those work reliably in every environment, whatever way you figured out to secure the data or do access control or manage data integrity, whatever that is.

Bennatan: Yeah.

Ashley: Let me ask you. I think, maybe other than you getting acquired by Imperva, most of us want to put a checkbox on 2020, kinda wrap it up and, you know, in cellophane, put it into a bucket of cement and drop it in the river, you know? [Laughter] Kinda, let’s get past this year and move on to 2021.

So, as you think forward in getting security right, we’re in this COVID era, right? And, you know, that light switch isn’t gonna turn off any day soon. We’re gonna be some evolution of this for, you know, whether there’s vaccines or not, right? But that has rapidly, I mean, seriously accelerated digital transformation projects, and changed some things fundamentally about assumptions we make. We’ve kinda, we can go to shed some of that evolution and we’re there, in many cases.

How has that affected your thinking around data security in this era? Because we’re in it, we’re not heading towards being transformed, we’re living it right now.

Bennatan: Yeah. You know, I think this is actually one of the few positive side effects of COVID, you know? I can’t tell you how sick I am of being here. I need to go somewhere. I really need to go somewhere, I’m like, sick, but—

Ashley: I know. What day is it, anyway? I can’t figure it out.

Bennatan: Yeah. I just, I just can’t even tell you. [Laughter] But the acceleration that this has given to cloud projects is one of the side effects that I think is very positive. Because, for years, you know, I’m a technology guy, and you know, if it were up to me, everything would be on cloud, bar none. Nothing, nothing—there would be scorched earth everything else. And, you know, I keep hearing people saying, “Yeah, but you know, it’s more expensive.” You know, it’s more expensive only if you look at it at the actual numbers of the cost you pay the cloud providers. But if you look at how much more effective it is and how much easier, it’s like buying super-duper IT, okay?

Ashley: Mm-hmm.

Bennatan: That’s really what it’s about. It’s not about anything else, it’s about finding people who know exactly what they’re doing and that you never get to a point that you always have when you build your own stuff where you’ve got people finger pointing, you know? “No, it’s a storage problem,” “No, it’s a host problem”—it just works, okay?

So, I think it’s great. I think it does create a lot of challenges or security, just because it’s very new, okay? It’s very new and it’s very, very fast. And new doesn’t mean it’s, like, six months old. But even if it’s six years old, it’s all new. It’s like, somebody built everything that anybody built around data centers from scratch, really, okay? Or it looks different or it’s called different.

And then the problem—again, going back to people, the problem is always people. So—so, a lot of companies, what they’ve done in order to accelerate this very, very quickly is, they’ve built a separate security architecture for the cloud group to parallel the cloud architecture group, which is different from the old guys, okay?

So, now you get people who understand data security pretty well, because they’ve done it for many, many years. You have people who understand data very well. And then you have people who understand cloud very well, but they’re not the same people, okay?

Ashley: Mm-hmm.

Bennatan: So, now, you get a skills issue and almost like a language issue, okay? It’s like Babel again in some respects. It’s like, how do you call this? What is this? Is it the same? You know, what’s a VPC, how many different ways do you have to connect things into a VPC? What does that impact my data architecture, and what are the flows?

And so, I do look at 2021 as a great, great year, because, you know, if people have been going at a certain pace into the cloud, it’s all accelerated. It’s—

Ashley: You know, I think that is a really important point, because when you’ve been disrupted—and we’ve all been disrupted in our personal lives, but when you accelerate something that fast, you know, the saying, “necessity is the mother of invention”? Well, necessity with urgency is, like, the mother of invention right now.

Bennatan: Yeah.

Ashley: And it’s almost like you can’t do things the way you’ve been doing, you can’t go along in parallel paths, because suddenly we’re all now here. We’re all in the cloud together or in a place that’s much different than we were.

Do you think that that is enough of an accelerant to get sort of those silos of people across cloud security and on prem security and those start to work together of thinking how we manage? Because so much more of it now has moved to the cloud—or is that a good assumption? I mean, tell me what your thoughts are.

Bennatan: Eh, you know, it’s—because it’s people—

Ashley: [Laughter]

Bennatan: – [Laughter] I, I don’t know how to answer that, you know? We’re getting into the realms of psychology more than anything. But I can tell you that, you know, it’s gotta happen, and we’re gonna make mistakes, right? As an industry, we’re gonna do this, it’s good that we’re doing it. And we’re gonna make more mistakes, because it’s less known, because we don’t always have the right skills.

Ashley: Mm-hmm.

Bennatan: And I think it’s our job, you know, our job in the industry is to try to reduce those mistakes. Because mistakes lead to things that we don’t want to happen, and we do have the ability to avoid mistakes, okay? We just need to be very clear—we can’t be, like, super techies about it, okay? We have to do things that are practical. Because what you asked is about human behavior. So, really, it’s not enough we create technology, we need to create technology that is accessible to people and that people can consume very easily.

It’s one of the things that, kind of, in security, I think we never—I think we’re doing a much better job now, and my entire focus is really on this, on making things practical and usable very often more important than a certain feature function, okay?

Ashley: Mm-hmm, mm-hmm. I totally agree with that, yeah. Well, you know, what I was thinking about is that, when you have that disruption, think about choosing productivity tools. How many organizations were debating, “We’re gonna go to Teams, we’re gonna go to Slack, let’s study it for a year” and it turns into two years and you final make a decision. All of a sudden, that decision gets made in two weeks or a week or a day—a couple days.

Bennatan: Yes.

Ashley: Like, how could—you just have to. You’re forced to make some decisions and make some changes.

What I’m wondering is, if you accelerate to the cloud and you have, you know, a framework, an architecture, something like an Imperva that—okay, we’ve solved some of those issues, let’s just solve them for other folks and help each other save some time, right? You don’t have to—sure, check me out, validate it, you think this is all the right thing to do. But if you’ve got to do something quick, we’ve got a good bit of that problem solved. It seems like you’re in a good position from that standpoint.

Bennatan: Yeah, and I do believe so. I think that we started very early with the cloud and how do you do this well, and so we are in a good position.

I also really [Laughter]—you know, you said something about this productivity tools making the decision in two weeks, and it’s one of my, you know, one of my pet peeves for my entire life has been something—I don’t see it changing, by the way, yet, but I really wish it would change, okay? Is this concept of a POC, okay? Where you—you know, you need something, like, go back to your two years versus two weeks. What does that mean? It means, somebody picked without doing a POC, right? [Laughter]

Ashley: Make a bet and if it’s wrong, we’ll change it.

Bennatan: Okay, make a bet, and make a bet based on what? You made a bet based on, you know—

Ashley: Best [Cross talk].

Bennatan: – either something that’s more usable or very usable, [Cross talk] or something that everybody else is using.

Ashley: [Cross talk] at the result. I think that’s what it comes down to, right? What is gonna get us the quickest understanding? Nothing’s gonna be perfect, we’re gonna have issues with whatever we choose already, of course.

Bennatan: Yeah, yeah, and this entire industry forever has been, “Okay, I can’t pick anything until I do a POC, but when I do a POC, I’m actually not even checking what’s important, because I can’t reproduce my production environment. I can’t reproduce the load, so I’m just gonna test something, okay? I’ll test, like, really simple things—can you do this, can you do that?”—which has absolutely no bearing on whether you’ll succeed or not.

And what I’m starting to see, especially on the cloud, because it’s much easier to just look at things, much easier to talk to people, much easier to see what your colleagues are doing, what your peers are doing is, I’m hoping that that accelerates things. Because if we need to do something tomorrow, we’re just not gonna wait. We’re not gonna wait nine months.

Ashley: So, here’s what might start to change that behavior. I’m not gonna proclaim that it’s changed that behavior, but through this COVID experience, using that productivity tool example—guess what? Executives, the non-techies of the company, look at us and say, “How come we can make a decision in two days when we were gonna take two years to do it? If we can make that decision in two days, I want us to make the other decisions quickly. Maybe it’s not always two days, but we’ve proven we can make some good decisions under some very difficult conditions and rapidly. Let’s exercise and build up that muscle and do that more often than the thing that we debate about forever.”

Bennatan: Yeah.

Ashley: So, I think there may be some pressure from the business, who’s also, by the way, very disruptive, they’re having to adjust, they’re having to go into defense or offensive mode in the business climate, and they want to be able to experiment very quickly—that’s part of what digital transformation is about, right? Try some things, experiment, and market, go after—you know, learn quickly, much like we do in kinda continuous improvement.

So, that might be the thing that nudges us off of the comfortable stool of, “Let’s take nine months-slash-two years to study it and make a decision or run it—you know, do an RFP for everything.” I hate RFPs, but—

Bennatan: Yeah.

Ashley: – just like POCs for you. [Laughter]

Bennatan: Yeah.

Ashley: But maybe that’s the thing that tilts it a little bit. I mean, I’m not gonna declare success yet, but…

Bennatan: I agree, I agree. I think it’s—you know, I’ve been in startups all of my life, okay? So, one of the things that is really fundamental when you look at a VC that’s investing in a company, they’re investing in the people, not in the company.

Ashley: Exactly.

Bennatan: I mean, this technology, they don’t know yet, okay?

Ashley: They know you don’t have it figured out, otherwise somebody else would’ve done it.

Bennatan: Yeah, yeah.

Ashley: Right? So, your job is to figure it out, but get the right people that can do it.

Bennatan: But they invest a lot of money very quickly, okay? They don’t take nine months, right? So, I believe that, you know, when people look at their partners, who they’re gonna partner with, they need to look at, you know, what are the founding principles of the company? How much is the company gonna care about me? What is it gonna do for me? Are they gonna be there when I need them?

And I’m not saying technology’s not important, because product is everything, but it’s product and the people that stand behind it, and the decisions need to be made, also, from the business level.

Ashley: So, we’re kinda running up against our time, here. I’m gonna point out this irony and hopefully you’ll come back and talk about it. So, you were just talking about investing in people, which is what VCs do, I totally agree with that. And earlier we were talking about—well, the problem we were talking about is human behavior and people, right? So, [Laughter] there are conditions of which will drive different behaviors, and hopefully that’s something we can explore about data and data security some more. We’ll have you back again soon.

Bennatan: Yeah. Okay, I’d love that.

Ashley: Good. Well, Ron, it’s been a pleasure. I wish you all the best. Congratulations on the acquisition and hopefully, you’ll be able to get out of your four brick wall cell there at some point and get out and enjoy the world again. [Laughter]

Bennatan: [Laughter]

Ashley: All of us will, but I wish you the best. It’s been great talking with you.

Bennatan: Hopefully. Thanks, Mitch.

Ashley: Great. Thanks for joining us today, folks. We’ll talk to you soon.