AT&T announced earlier this month that nearly all its customer phone records — around 110 million of them — were stolen via Snowflake. Data lakes like Snowflake, which serve as data repositories with wide access for employees, are prime targets for cybercriminals. However, security teams often overlook them as just another IT component.
But it’s no longer acceptable to overlook data security. This has become especially true in the age of generative AI, which relies on vast amounts of data. Robust data security is essential to maintain data integrity, reduce bias, and protect sensitive information.
In short, organizations must know where their data resides at all times, and eliminate unnecessary access to teams that don’t need it. Building and running a solid data security program will require executives to overcome two major challenges unique to data security.
Challenge 1: A disconnect in perception and culture
The challenges facing data security are about perception and culture. As a seasoned security professional, I have witnessed firsthand how data engineers and scientists often feel marginalized compared to software engineers within the same organization.
When I speak with data engineers about their security training, I usually hear two responses: they either mention a general security training program for all employees, or a specialized program focused on the OWASP Top 10 or similar topics for software engineers. These programs often overlook the specific needs of data scientists and machine learning engineers, leaving them without relevant security knowledge.
Further exacerbating the disconnect, data professionals are not typically given the same level of tooling as their peers in software development, nor are they usually integrated into the software development lifecycle.
Finally, data teams often view security measures as obstacles to their analytical and developmental tasks, rather than essential safeguards. They are often unaccustomed to security processes and wary of external interference and sometimes resist security implementations.
For example, the data team in one organization was developing a machine learning model to enhance customer personalization. When the security team proposed incorporating data access controls, the data scientists resisted, fearing that these measures would hinder their ability to quickly iterate and test their models.
Solution: Integration and collaboration
How can execs overcome such fundamental disconnects? They must build trust and credibility within data teams.
To foster openness and collaboration, security leaders should not start at “no.” Overly strong controls are only going to backfire. Security leaders should meet data pros where they are — discussing their access needs and building controls from there.
To bridge the knowledge gap, organizations can embed data engineers within the security team — or vice versa — fostering communication and ensuring security feedback stays relevant and actionable in the eyes of the data team. By participating together in code reviews, design reviews, and sprint planning, data and security professionals can build a collaborative environment where security gets seamlessly integrated into the development process.
I recently spoke with a security professional from a financial institution who experienced resistance from its data team when it introduced a security protocol requiring multi-factor authentication (MFA) for accessing sensitive datasets. The data scientists argued MFA was cumbersome and would interrupt their workflow. The security team worked closely with the data scientists to streamline the authentication process, demonstrating how they could integrate it smoothly into their operations without significant disruption.
Challenge 2: Lack of industry standards and resources
This field is largely uncharted territory, lacking industry guidance to inform building a data security program, as well as tools tailored to the needs of data environments.
It’s very complex to configure and secure data pipelines, and data science and machine learning ecosystems often lack segmentation and established security controls. While best practices and examples exist for microservices and backend engineering, they are not as available for data engineering or data science.
While controls exist to ensure that a compromised edge service does not jeopardize the entire ecosystem, it’s not necessarily true for data pipelines. It’s common to have over-permissive access; data teams also often grant broad permissions initially, unsure of their exact needs, and fail to update them later. If any of the dozens of teams writing different pipelines has a compromised pipeline, it could affect everyone because of the environment lacks segmentation.
And unlike application security, which benefits from maturity models like the Building Security in Maturity Model (BSIMM) and Software Assurance Maturity Model (SAMM), data security has no widely accepted frameworks — leaving organizations to navigate these challenges on their own.
Mapping controls from traditional backend engineering to data ecosystems is still rudimentary, and in dire need of updating.
Solution: Build an iterative data security maturity program
In the absence of strong guidance, security leaders should develop a data security maturity program, including a roadmap with clear goals and milestones as well as regular updates to security controls based on evolving needs and threats. Instead of rigid policies, security leaders should focus on gradual improvement.
Collaboration becomes very important here. Security leaders should work with data engineers to understand infrastructure and data pipelines, as well as with data scientists to understand how they build and deploy models and what the modeling environments are like. It’s fundamental to understand where data lives and who has access to it.
A just-in-time access model also reduces unnecessary data access. Organizations I have worked for have successfully implemented this model, granting access only when an engineer needs and requests that access, and revoking access afterward.
Finally, it's also effective to have a self-service portal that helps employees make the right security moves . Instead of only recommending "use the least privileged role," we can point users toward a portal or utility that can help with getting them the least privileges role for their use case.
Navigating data security involves complexity, but it’s a journey security professionals must embark on, working with data teams to understand their risks and asking for their help in solving them. By taking an inclusive and iterative approach, leaders can foster a culture of security and continuous improvement that enhances data security and paves the way for innovation and growth.
Mukund Sarma, head of product security, Chime