You may know Immuta as a longtime provider of data governance tools. But with the launch of Immuta Detect, the company has completed its pivot to becoming a data security provider for cloud-based data warehouse users.
For years Immuta sailed the seas of data governance, helping customers map their data access requirements, often driven by regulations like GDPR, to the actual policies that govern access on real-world systems.
But over the past couple years or so, the company has been focusing more on one single discipline: data security. Instead of functioning as a control point to govern who gets access to a broad set of resources, the company is now aiming at ensuring the security of data stored in Snowflake, Databricks, and other cloud data warehouses.
The company repurposed its existing IP into two main products, including Discover, which provides sensitive data discovery and automated capture of schema changes, and Secure, which maps high-level data access policies to data warehouse policies and provides enforcement for access control.
Yesterday, the College Park, Maryland company unveiled the third component of its Immuta Data Security Platform. The new offering, called Detect, provides user and activity monitoring, behavior analytics, and risk scoring to the collection of previous capabilities.
The product’s main goal is to detect unusual user activity that could indicate nefarious activity by an internal user against one or more cloud data warehouses, says Matt DiAntonio, the vice president of product for Immuta.
“Let’s say we have a user that seems to be querying at an odd time of day, 2 a.m. What were they querying? Was it a sensitivity issue, or are they just burning the midnight oil,” DiAntonio says. “They don’t really have a way to do that, and it gets worse when they do that across maple platforms.”
Today, an administrator would have to comb through log files in their Snowflake, Databricks, Redshift, BigQuery, Presto/Trino, or Azure Synapse Analytics environment to figure out what the user was doing. If the query touched more than one cloud data warehouse, the admin would need to manually meld them together, which multiples the difficulty level because of differences in how those log files are generated.
This log-integration process is an exercise in exasperation at the moment, according to DiAntonio.
“These poor analysts, who are just trying to deliver a palter that will deliver strategic value from their data, they’re just pulling their hair out of their head. They’re saying ‘I don’t know how to do this. It’s taken me 10, 20 hours per week to go through and do all of this,’” he says.
“We harmonize all that information,” DiAntonio continues. “So we go through and pull all that log data. we enrich it and harmonize it so it’s consistent. We just take away that really crappy task from the platform distractor, from the security individuals–whoever is in that unfortunate seat of that hand-o-matic work–and we surface that information in a set of activity monitoring views that will allow you to just really quickly easily answer the question: What’s going in this environment? Where should I pay attention?”
As cloud data warehouses have exploded in popularity, so too has this particular problem. Immuta, which was already controlling access to data on an attribute-based basis (as opposed to doing it by roles, which are mutable and morph over time), was well situated to address the problem. So the company decided to shift its strategy a bit, and concentrate on the access control problem that’s specific to the cloud data warehouses.
“It’s a lot deeper [with] the databases we care about, rather than wide across everything,” Immuta CEO Matt Carroll told Datanami at the Data + AI conference last June. “That was a strategy shift that we made. And the database we care about are the SaaS data warehouse and data lakes.”
The meteoric rise of big data warehouses in the cloud is tangled up in a hornet’s nest of related issues, which Immuta has also identified. One of those is the rise of data mesh projects, whereby groups of teams are encouraged to work individually to build data products using decentralized data living in the cloud.
“Those cloud environments are not nearly as mature as the centralized legacy technology that was pretty locked down, and you have [cloud environments] proliferating because of the demand of the business,” DiAntonio says. “They have to move faster. People get upset. ‘Hey, I’m not moving fast enough with my data. I’m just going to spring open a brand-new cloud instance and start doing it myself.’ And the data security professionals are stuck in the middle. You can’t tell the business to stop. But you can’t have the Wild West either, so how do we wrestle with that problem?”
Naturally, Immuta sees itself filing a critical role in that scenario. The company is cognizant of the need to work with other components of the stack–such as data catalog vendors, SIEM tools, and even other data governance and data access tool providers–and doesn’t want to recreate more than it needs to. As far as SIEM integration goes, it has partnered with Splunk for the preview of Detect, for example.
Integration with other components of its own stack, including the capability to keep track of which users are permitted to access which pieces of data, is critical for keeping it all straight.
“We’re thinking a lot about query activity and what’s happening at that level. But it’s just as important to be thinking about the user,” DiAntonio says. “Was somebody made part of the group, and by making them part of the group, you’ve now exposed them to information that potentially they shouldn’t have been? Did somebody change a group that has access to sensitive information?
By tracking all the movement and changes involving the “holy trinity of data security”–or tags, users, and data systems–Immuta is able to correlate activity and map it against a given security policy to determine if breaches have been made, DiAntonio says.
“We allow some configuration of what does risk even mean for my company? You don’t want to have a one size fits all environment,” he says. “And then we wrap that with the ability to have this really elegant event stream that moves from an event to an insight to an incident, so that we’re correlating this set of activities and bringing those to your attention.”