Database security startup jSonar, founded by Ron Bennatan, was recently acquired by Imperva, a leading cybersecurity company focused on data and application protection.
In this episode of TechStrong TV, Ron Bennatan, general manager of data security at Imperva, joins us to discuss the plethora of data security challenges across cloud environments. They also talk about the significant increase in data usage and creation as a result of COVID-19.
The video is immediately below, followed by the transcript of the conversation. Enjoy!
Transcript
Mitch Ashley: I have the pleasure of being joined today by Ron Bennatan, who is GM of Imperva Data Security. Welcome, Ron.
Ron Bennatan: Thanks. Glad to be here.
Ashley: Good to be talking with you. Iโm excited to chat a little bit about data security. Letโs start out with, just introduce yourself, a little bit of your background. I know you had a recent event with your company, Imperva, and tell us a little bit about what Imperva does.
Bennatan: Okay, yeah. I’ll just start with what Imperva does. So, we’re a cyber security leader, we have over 6,000 global customers and we’re just focused on helping them protect data and all paths to it. And kind of what that means is, we have both application security products and data security products, both of them leading in those spaces.ย
But kind of the, our view is that, in order to do a good job around data security, you really have to look at this as a whole thing, otherwise it becomes, like, a blanket thing, right? You pull it to one direction and you expose yourself on the other side. Because data isโyeah, itโs very complex. And securing all data and all ways that people access data is a difficult thing.
So, like, for example, I could beโI could be really good at securing access to data from privileged insiders, but then you also get access through the applications. And the way that the data tier looks at things, it doesnโt see enough when itโs accessed through the application, so thatโs a problem. And then if you do a good job on the application side, you know, maybe on bots and APIs, but maybe you also have insiders, and maybe insiders are different when they access it directly or they’re admins of the data tier or they’re admins of the application tier.
So, really, our view is, in order to do a good job, you really need to look at the whole access and all the paths to it.
Ashley: Excellent.
Bennatan: How did I get here? So, Iโm a 30-year data-slash-security guy, so I’ve been both, kind of working on the data side, whether itโs a DBA or application side, but also on the security side.
So, I started my career in the military. I then worked on Wall Street for a while, areas around Sybase and Sybase security, Oracle and Oracle security. Then I was one of the founders of Guardium back in the early 2000s, built this database security business, got acquired by IBM, was the CTO of data security at IBM for a while. Last, founded jSonar, also in the data security space, and then a month ago got acquired by Imperva, so I now lead the data security setup there.
Ashley: You just keep getting acquired. I need to hang out with you a little bit more.
Bennatan: [Laughter]ย
Ashley: [Laughter] Going back to Sybaseโwow. Yeah, I was a Sybase customer. [Cross talk]ย
Bennatan: [Laughter] You know, itโs still being used all over the place.
Ashley: Isnโt it amazing? Technology never goes away.
Bennatan: It never goes away.
Ashley: We just donโt talk about it as much as we used to. [Laughter] Well, you know, data security is such a fascinating topic. And I donโt mean this in a pejorative way, but itโs a bit like whack-a-mole, right? Itโs everywhere and as soon as you think you’ve kinda gotten control over it, it pops up over here, sorta like that balloon that squeezes between your fingers, [Laughter] you think you’ve got your hands around it. And plus, itโs not a static thing, itโs growing and itโs evolving, itโs being used by different applications in different ways.
Itโs a huge challenge. I mean, how do you even begin to tackle that from a data security company?
Bennatan: Yeah, so, I mean, first of all, you’re absolutely right. And, you know, we’re all security professionals, so to us, it looks like a bad thing, but before we go down that route, itโs actually a good thing, right?ย
I mean, the fact that it is so complex, it is because itโs just hyper efficient, right? The people who are building data architectures are amazing. They’re doing an amazing job. Because if you look at data architectures 20 years ago or even 10 years ago compared to what they are today, itโs justโitโs like, itโs like an immature baby compared to whatโs happening now.
Ashley: Mm-hmm.
Bennatan: And itโs a good thing, because these are highly optimized systems, very diverse types of workloads, very diverse technologies, right? A database today is not even close to what it was 20 years ago. A data lake today is an amazing thing, okay? You know, itโs hard to even put your finger on exactly what it is, a data lake, when you look at, say, an AWS data lake or an Azure data lake or a GCP data lake. They’re amazing.
So, these are good things, right? Our applications are getting better, they’re getting faster. We can do, like, crazy things with machine learning algorithms doing analysis, telling us how to improve our lives, okay?
Now, as security people, we’re always playing catch up, okay? We’re alwaysโthese people are creating these things, and security is never exactly baked into that stack, although it is getting a little better or we’re trying to get it a little better. So, we are playing catch up, and it does create a lot of challenges on what it means to secure it well.ย
So, you know, the fundamentals have never really changed, right? Thereโs authentication, thereโs authorization, thereโs audit, thereโs the notion of finding where the data is, classifying theโthat stuff doesnโt change. What does change is the complexity of doing each one of those tasks.
So, if you look atโyou know, even the first thing you kind of need to start looking at is, you know, find all your sensitive data and make a catalogue of it and know the lineage andโyou know, 40 years, we’re doing the same thing. And it just gets harder and harder, because you look at one of these data lakes, you know, I think 10 years ago, when we were building a data lake or thinking of a data lake, we would think of, โOkay, we’re probably doing some kind of a Hadoop project,โ okay?
Ashley: Mm-hmm.
Bennatan: Which, in itself, was complex enough as it is, because you’ve got, like, eight or nine different services running, each one doing something a little different.
Ashley: It wasnโt that long ago. I meanโ
Bennatan: It wasnโt that long ago, but itโs dead, right? Itโs [Laughter]โthat partโs dead. Now, we’re building something which is infinitely more complicated. Becauseโlike, I’ll give you an example. A lot of my customers are building things on AWS.
So, you’ve got thisโitโs not like the data lives in one place, okay? You’ve got S3 buckets, and then you’ve got access sometimes from Athena, sometimes through Spectrum, sometimes from both. And then you have some DynamoDB or DocumentDB databases for doing transient things, and then you shove it into Redshift so your Tableau can access it. And then you have AWS Glue moving things around, and maybe you even have a Hadoop stack inside EMR for the landing area.
Ashley: You have data in databases inside containerizedโ
Bennatan: Yeah, everywhere. And then you say, โWell, how do I secure one of these beasts?โ And so, yeah, itโs complicated, itโs risky, and we just need to keep up with these guys who are doing a good job with making very innovative architectures. And, you know, it would be great, by the way, if we could’ve baked this into the stack before they even started, okay?
Ashley: Mm-hmm.
Bennatan: But, like, Iโm too old to believe in fairytales.
Ashley: You stopped chasing that rainbow, right? [Laughter]
Bennatan: Yeah. And we just do need to keep up with them. We need to keep up with them, we needโyou know, because a lot of my customers are larger, and if they’re larger, then sometimes they’re regulated, somehow, or they need to adhere to something.
Ashley: Mm-hmm.
Bennatan: And certainly, these days, they’re all also troubled by all kinds of privacy compliance issues. So, we need to give them controls that they’re used to getting, you know, on the stuff that they’ve been building for the last 30 years on prem. And it gets to a point that the application team wantsโyou know, they’re ready. They finished everything, they’re migrating it up, and even simple things, not even complex things like cloud. They have an application using SQL on prem and they want to move it to SQL on Azureโsimple enough, right?
Not really, because on prem, they know what their tooling looks like, they know what their controls are, they know what they’re doing with privileged access, they know how to scan, they know how to create the policy for defining access. They know how to manageโthey know how to do change management around that policy. Now, they all move it to the cloud. Sometimes, those controls are there; more often, they’re not there.ย
And, you know, so, for example, one of the things that we view as being fundamentally important for us is to make that transition seamless, okay? Same controls. Different methods, different tools, different policy orchestration, but to them, it should look the same. If it looks the same, then when the app team wants to move it over, security stops being this bad guy that says, โNope, stop. Okay, tell me what you did, here.โย
I mean, we canโt be the bad guys, okay? We have toโ
Ashley: Canโt be the cops, canโt be the roadblock.
Bennatan: Yeah, yeah. We need to help. We canโt keep stopping things. Itโs just a bad, badโbad dynamic.
Ashley: So, let me ask you. Thereโs so many dimensions to this and usages of data. So, is that one, instead of, like, getting ahead of all of it and designing it up front, which we wish we always could and doesnโt happenโis that the right approach?
Iโm thinking about how do we do security rightโis that creating the, whether itโs the tooling or the framework or the structure of how we secure data, making that consistent so, no matter the environment, we now know how to do it, and we can do it in a reasonably consistent way and know that itโs been done as opposed to, you know, n+1 for every environment that we’re in, itโs all different and itโs all complex and nobody can keep track of any of it, more or less secure it. Is that sort of getting our hands around this problem?
Bennatan: Yes, that is absolutely the one sentence summary is exactly that.
Ashley: A lump sentence, but [Laughter]โ
Bennatan: A lump sentence. [Laughter] Yeah, yeah, because we need toโwe need to abstract things out and hide the complexity, right?
Ashley: Mm-hmm.
Bennatan: We needโthe fact that the data environment is so complex, it doesnโt change that if you go high enough, the problem statement or the what you need to do statement is the same, okay? The problem is that when you translate it to, โOkay, what actually happens?โ then it tends to be different here, different here, different here.
But at a high enough level, itโs exactly the same thing. So, you know, whatโif the environments are getting more sophisticated and the architectures are getting more complex in a good way, if securing them also gets more complex, then we’ve lost. So, what we need to do is make it maintain a single abstraction layer, and then do the magic that translates it into the individual changes.
So, itโs absolutely what we need to do. Now, some of this is a heterogeneous question. Okay, some of it is a heterogeneous thing where, you know, you have different silos and you know, historically, people have always looked at data as a bunch of silos.
Ashley: Mm-hmm.
Bennatan: Okay, thereโs like the database silos, the big data silos, the file silo. That stuff gets blurred (a) because in the cloud, itโs very blurry, okay? Like, you can definitely say that S3 is a file system, okay? Itโs an object store, itโs kind of like a file system, but then you slap a FINA on top of it, and that gives you SQL queries on top of that file store. So, is it now a file system, or is it a SQL database? What is that thing? Itโsโ
Ashley: And DynamoDB and now you’ve got a whole bunch of different ways of accessing and using that data.
Bennatan: Yes. So, thatโs one piece of it. The other piece of it, which is almost the same sentence that you said, but semantically, it has a different meaning, okay? If you look at kind of the concept of data governance, okay, fromโin the last 20 years, itโs always been, like, at the top, thereโs things like policy and things like, you know, what are the business requirements? And at the bottom, thereโs the tooling. And always, whenever you talk to anybody in this space, they always say, โDonโt start here, donโt start at the bottom by just implementing tooling, start here and then do this.โ Well, I’ve yet to meet a single company that has started here. You always start here.
Ashley: When do you get the luxury, right?
Bennatan: Yeah! Look, part of it is just us people, okay? We’reโus people are problematic, okay? [Laughter] People can understand very concrete things very well, and therefore, we can go do a project that does this and we can do a project that doesโand the vendor landscape has never helped, because products are like this and like this, soโฆ And you go to the analysts, and the analysts say, โOh, you need to pick one of these and one of these and one of these.โ
So, you know, for many years, itโs been one of these, โOkay, nobody started here, everybody started here.โ And then projects have operationalization problems. Itโs not that, you know, tools have problems, itโs the fact that, even if a tool does everything it was supposed to be doing, it gets hard to operationalize things. And then you start looking at it and you say, โOkay, within these silos, thereโs actually no difference to operationalize things.โ Itโs the same thing, okay? You need the same processes, you need the same decisions, you need the same policy push down.
So, why are we doing it six times? Why are we not doing it one time? Well, we’re not doing it one time because we didn’t start here. And so, over time, you know, I kind of gave up on people starting here and assumed people would always start here. The question is, that abstractionโcan you now take work that you’ve done within any one of those silos and leverage that in order to create that kind of in the middle, like a single control layer, okay?
Ashley: Mm-hmm.
Bennatan: I mean, a single control layer that then uses those tools, but creates something that is, you know, consistent. And if you start creating something that is consistent, then you’re not, you know, you’re not balled into these silos. And then when you’reโwhen you get some of these more kind of advanced architectures, you know, you’re not screwed, because you didn’t create something just for this silo and this silo and this silo.
Ashley: And then you know that all the bases are covered, too, you’re not having to do a unique process or solution for all the checkmarks you’ve got to put in place, and who knows if those work reliably in every environment, whatever way you figured out to secure the data or do access control or manage data integrity, whatever that is.
Bennatan: Yeah.
Ashley: Let me ask you. I think, maybe other than you getting acquired by Imperva, most of us want to put a checkbox on 2020, kinda wrap it up and, you know, in cellophane, put it into a bucket of cement and drop it in the river, you know? [Laughter] Kinda, letโs get past this year and move on to 2021.
So, as you think forward in getting security right, we’re in this COVID era, right? And, you know, that light switch isnโt gonna turn off any day soon. We’re gonna be some evolution of this for, you know, whether thereโs vaccines or not, right? But that has rapidly, I mean, seriously accelerated digital transformation projects, and changed some things fundamentally about assumptions we make. We’ve kinda, we can go to shed some of that evolution and we’re there, in many cases.
How has that affected your thinking around data security in this era? Because we’re in it, we’re not heading towards being transformed, we’re living it right now.
Bennatan: Yeah. You know, I think this is actually one of the few positive side effects of COVID, you know? I canโt tell you how sick I am of being here. I need to go somewhere. I really need to go somewhere, Iโm like, sick, butโ
Ashley: I know. What day is it, anyway? I canโt figure it out.
Bennatan: Yeah. I just, I just canโt even tell you. [Laughter] But the acceleration that this has given to cloud projects is one of the side effects that I think is very positive. Because, for years, you know, Iโm a technology guy, and you know, if it were up to me, everything would be on cloud, bar none. Nothing, nothingโthere would be scorched earth everything else. And, you know, I keep hearing people saying, โYeah, but you know, itโs more expensive.โ You know, itโs more expensive only if you look at it at the actual numbers of the cost you pay the cloud providers. But if you look at how much more effective it is and how much easier, itโs like buying super-duper IT, okay?
Ashley: Mm-hmm.
Bennatan: Thatโs really what itโs about. Itโs not about anything else, itโs about finding people who know exactly what they’re doing and that you never get to a point that you always have when you build your own stuff where you’ve got people finger pointing, you know? โNo, itโs a storage problem,โ โNo, itโs a host problemโโit just works, okay?
So, I think itโs great. I think it does create a lot of challenges or security, just because itโs very new, okay? Itโs very new and itโs very, very fast. And new doesnโt mean itโs, like, six months old. But even if itโs six years old, itโs all new. Itโs like, somebody built everything that anybody built around data centers from scratch, really, okay? Or it looks different or itโs called different.ย
And then the problemโagain, going back to people, the problem is always people. Soโso, a lot of companies, what they’ve done in order to accelerate this very, very quickly is, they’ve built a separate security architecture for the cloud group to parallel the cloud architecture group, which is different from the old guys, okay?
So, now you get people who understand data security pretty well, because they’ve done it for many, many years. You have people who understand data very well. And then you have people who understand cloud very well, but they’re not the same people, okay?
Ashley: Mm-hmm.
Bennatan: So, now, you get a skills issue and almost like a language issue, okay? Itโs like Babel again in some respects. Itโs like, how do you call this? What is this? Is it the same? You know, whatโs a VPC, how many different ways do you have to connect things into a VPC? What does that impact my data architecture, and what are the flows?
And so, I do look at 2021 as a great, great year, because, you know, if people have been going at a certain pace into the cloud, itโs all accelerated. Itโsโ
Ashley: You know, I think that is a really important point, because when you’ve been disruptedโand we’ve all been disrupted in our personal lives, but when you accelerate something that fast, you know, the saying, โnecessity is the mother of inventionโ? Well, necessity with urgency is, like, the mother of invention right now.
Bennatan: Yeah.
Ashley: And itโs almost like you canโt do things the way you’ve been doing, you canโt go along in parallel paths, because suddenly we’re all now here. We’re all in the cloud together or in a place thatโs much different than we were.
Do you think that that is enough of an accelerant to get sort of those silos of people across cloud security and on prem security and those start to work together of thinking how we manage? Because so much more of it now has moved to the cloudโor is that a good assumption? I mean, tell me what your thoughts are.
Bennatan: Eh, you know, itโsโbecause itโs peopleโ
Ashley: [Laughter]
Bennatan: – [Laughter] I, I don’t know how to answer that, you know? We’re getting into the realms of psychology more than anything. But I can tell you that, you know, itโs gotta happen, and we’re gonna make mistakes, right? As an industry, we’re gonna do this, itโs good that we’re doing it. And we’re gonna make more mistakes, because itโs less known, because we donโt always have the right skills.
Ashley: Mm-hmm.
Bennatan: And I think itโs our job, you know, our job in the industry is to try to reduce those mistakes. Because mistakes lead to things that we donโt want to happen, and we do have the ability to avoid mistakes, okay? We just need to be very clearโwe canโt be, like, super techies about it, okay? We have to do things that are practical. Because what you asked is about human behavior. So, really, itโs not enough we create technology, we need to create technology that is accessible to people and that people can consume very easily.
Itโs one of the things that, kind of, in security, I think we neverโI think we’re doing a much better job now, and my entire focus is really on this, on making things practical and usable very often more important than a certain feature function, okay?
Ashley: Mm-hmm, mm-hmm. I totally agree with that, yeah. Well, you know, what I was thinking about is that, when you have that disruption, think about choosing productivity tools. How many organizations were debating, โWe’re gonna go to Teams, we’re gonna go to Slack, letโs study it for a yearโ and it turns into two years and you final make a decision. All of a sudden, that decision gets made in two weeks or a week or a dayโa couple days.
Bennatan: Yes.
Ashley: Like, how couldโyou just have to. You’re forced to make some decisions and make some changes.
What Iโm wondering is, if you accelerate to the cloud and you have, you know, a framework, an architecture, something like an Imperva thatโokay, we’ve solved some of those issues, letโs just solve them for other folks and help each other save some time, right? You donโt have toโsure, check me out, validate it, you think this is all the right thing to do. But if you’ve got to do something quick, we’ve got a good bit of that problem solved. It seems like you’re in a good position from that standpoint.
Bennatan: Yeah, and I do believe so. I think that we started very early with the cloud and how do you do this well, and so we are in a good position.
I also really [Laughter]โyou know, you said something about this productivity tools making the decision in two weeks, and itโs one of my, you know, one of my pet peeves for my entire life has been somethingโI don’t see it changing, by the way, yet, but I really wish it would change, okay? Is this concept of a POC, okay? Where youโyou know, you need something, like, go back to your two years versus two weeks. What does that mean? It means, somebody picked without doing a POC, right? [Laughter]ย
Ashley: Make a bet and if itโs wrong, we’ll change it.
Bennatan: Okay, make a bet, and make a bet based on what? You made a bet based on, you knowโ
Ashley: Best [Cross talk].
Bennatan: – either something thatโs more usable or very usable, [Cross talk] or something that everybody else is using.
Ashley: [Cross talk] at the result. I think thatโs what it comes down to, right? What is gonna get us the quickest understanding? Nothingโs gonna be perfect, we’re gonna have issues with whatever we choose already, of course.
Bennatan: Yeah, yeah, and this entire industry forever has been, โOkay, I canโt pick anything until I do a POC, but when I do a POC, Iโm actually not even checking whatโs important, because I canโt reproduce my production environment. I canโt reproduce the load, so Iโm just gonna test something, okay? I’ll test, like, really simple thingsโcan you do this, can you do that?โโwhich has absolutely no bearing on whether you’ll succeed or not.
And what Iโm starting to see, especially on the cloud, because itโs much easier to just look at things, much easier to talk to people, much easier to see what your colleagues are doing, what your peers are doing is, Iโm hoping that that accelerates things. Because if we need to do something tomorrow, we’re just not gonna wait. We’re not gonna wait nine months.
Ashley: So, hereโs what might start to change that behavior. Iโm not gonna proclaim that itโs changed that behavior, but through this COVID experience, using that productivity tool exampleโguess what? Executives, the non-techies of the company, look at us and say, โHow come we can make a decision in two days when we were gonna take two years to do it? If we can make that decision in two days, I want us to make the other decisions quickly. Maybe itโs not always two days, but we’ve proven we can make some good decisions under some very difficult conditions and rapidly. Letโs exercise and build up that muscle and do that more often than the thing that we debate about forever.โ
Bennatan: Yeah.
Ashley: So, I think there may be some pressure from the business, whoโs also, by the way, very disruptive, they’re having to adjust, they’re having to go into defense or offensive mode in the business climate, and they want to be able to experiment very quicklyโthatโs part of what digital transformation is about, right? Try some things, experiment, and market, go afterโyou know, learn quickly, much like we do in kinda continuous improvement.
So, that might be the thing that nudges us off of the comfortable stool of, โLetโs take nine months-slash-two years to study it and make a decision or run itโyou know, do an RFP for everything.โ I hate RFPs, butโ
Bennatan: Yeah.
Ashley: – just like POCs for you. [Laughter]
Bennatan: Yeah.
Ashley: But maybe thatโs the thing that tilts it a little bit. I mean, Iโm not gonna declare success yet, butโฆ
Bennatan: I agree, I agree. I think itโsโyou know, I’ve been in startups all of my life, okay? So, one of the things that is really fundamental when you look at a VC thatโs investing in a company, they’re investing in the people, not in the company.
Ashley: Exactly.
Bennatan: I mean, this technology, they donโt know yet, okay?
Ashley: They know you donโt have it figured out, otherwise somebody else would’ve done it.
Bennatan: Yeah, yeah.
Ashley: Right? So, your job is to figure it out, but get the right people that can do it.
Bennatan: But they invest a lot of money very quickly, okay? They donโt take nine months, right? So, I believe that, you know, when people look at their partners, who they’re gonna partner with, they need to look at, you know, what are the founding principles of the company? How much is the company gonna care about me? What is it gonna do for me? Are they gonna be there when I need them?
And Iโm not saying technologyโs not important, because product is everything, but itโs product and the people that stand behind it, and the decisions need to be made, also, from the business level.
Ashley: So, we’re kinda running up against our time, here. Iโm gonna point out this irony and hopefully you’ll come back and talk about it. So, you were just talking about investing in people, which is what VCs do, I totally agree with that. And earlier we were talking aboutโwell, the problem we were talking about is human behavior and people, right? So, [Laughter] there are conditions of which will drive different behaviors, and hopefully thatโs something we can explore about data and data security some more. We’ll have you back again soon.
Bennatan: Yeah. Okay, Iโd love that.
Ashley: Good. Well, Ron, itโs been a pleasure. I wish you all the best. Congratulations on the acquisition and hopefully, you’ll be able to get out of your four brick wall cell there at some point and get out and enjoy the world again. [Laughter]
Bennatan: [Laughter]
Ashley: All of us will, but I wish you the best. Itโs been great talking with you.
Bennatan: Hopefully. Thanks, Mitch.
Ashley: Great. Thanks for joining us today, folks. We’ll talk to you soon.

Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.


