I’m Mohit Tiwari. I’m one of the co-founders of Symmetry Systems, and the CEO. Symmetry was spun out of Spark Lab at UT Austin. We had a long history of research into an arcane field called “information flow security.” It’s been a long-term field… has dashed many hopes. We got inspired by working with hospitals who were working with complex-care kids, and they wanted to make sure that they could use applications outside of EMR/EHR tools to take care of complex-care kids. And we thought we could apply information flows to make sure that medical data can go through different apps. Social workers, family members, everyone can collaborate, and they would not break HIPAA compliance. That was what was blocking the usage. So that’s what started us off.
We learned the hard way that hospitals are not the earliest adopters. And the famous question was like: “oh, which banks use you?” And me, my co-founder Casen, we looked at each other, and we were university students. No, banks use us. University research. Yeah. So that’s how we started being more thoughtful. We worked with cloud providers, worked with NSA, General Dynamics, Lockheed… just kind of covering the spectrum. And in late 2019, we felt we had seen enough that we could spin out and build a company around our work in information flow.
To me, DSPM is really about how information is flowing—how data is flowing—but at the layer of data and identities. So we talked about information flow from our research. It’s really rooted in the simplest questions: I have privileged users, admins in my environment, how can they touch customer data, or did they? Such a simple question. It’s incredibly hard to answer because admins can go into the systems in many different ways and so on. You can think of other types of identities. You have vendors in your environment—did they touch customer data? You have third parties where you share it. There’s so much controversy that Facebook gave information to Cambridge Analytica. That’s a simple use case of: “I’m giving you information, I want to track how it gets used.”
So after seeing this in research for a while, we were just very convinced that if you can understand how information is flowing amongst identities—whether they are human, non-human, inside, or outside—we can answer the hardest questions in security that are at the heart of all security and compliance. So to me, that’s what DSPM is about. Let’s route security around how data is flowing in my environment. Where we spend money today on endpoints, they’re all the peripheries of the nervous system. They should come after we have mapped out where the main information is and how it’s flowing.
DSPM is just an acronym. The big outcomes that we can drive using this visibility into data flows and data identities include identifying whether there is a buildup of dormant data in your environment. Lots of regulations say good security practices involve minimizing data that you’re not using. But it’s not easy to determine what data is in use and what is not, and who should be responsible for making a judgment call on it. All of this visibility and context-building is something DSPM can really help with.
For instance, we helped a Fortune 500 company delete 25% of the production data in their environment. That’s a material outcome for their security and compliance. That data lake no longer needs to be SOCs compliant because we also off-boarded over a thousand identities from that environment. We can show that all the sensitive data in there is just super tightly locked down. So this is not just great security practice but also great IT outcomes beyond just security outcomes.
That’s one example in a data lake environment. A completely different outcome could be in a product environment where you have developer teams with staging and dev environments alongside production. Customer data in production has to be very carefully handled when used for testing and staging. When we first landed at a healthcare company, we were able to show that lots of clinical trial data and other healthcare data were found in environments that were much more open, unbeknownst to the security or compliance teams. So just mapping out regulated customer data and identifying what environments they were found in allowed us to clear out vendors who should have been off-boarded and to remove healthcare data from places it shouldn’t have been. That’s a great outcome for the product teams.
A third environment where we see big outcomes is in corporate environments. Every company has many employees, from HR to engineers, who all have corporate data in OneDrive, G Drive, and other places. We’ve been able to show that as companies roll out Copilot into their corporate environment or when they merged OneDrives from acquired companies, valuable customer data ended up broadly shared across the company or with external people, or it got into places where it shouldn’t have been. Being able to quickly identify whether your corporate data state is ready for good access control is crucial, especially when planning to run tools like Copilot. We helped a big company that found product roadmaps, RIF plans, and sales outcomes lying around in places where they shouldn’t have been, and they were able to control it very quickly.
One of the most useful things for customers that I’ve noticed is that you can get to solid outcomes very quickly. Meaning you deploy a DSPM product and within a week or two, you will get guaranteed findings. In one government agency, we were able to find secrets that shouldn’t have been in the environment, and though they initially said it wasn’t a big deal, they quickly cleared it all out. We also found 30% more environments that no one knew about, accessing or sending data out. AWS can’t tell you because they can’t break the privacy of other accounts, but we were able to figure out these data flows and show them. That was a big “aha” moment for them.
Finally, while we talk a lot about confidentiality—secrets being lost—we also showed how rolling out code and container images created a huge supply chain risk. If someone could overwrite trusted container images, they would be shipped out to production environments. So integrity and availability are big directions where DSPM can produce outcomes as well.
When Gartner called out DSPM in 2022, they noted that data, identities, permissions, and operations all need to be in the same product to qualify as a posture management product, and that it should fully reside in the customer’s cloud. We are the only company that lives fully in the customer’s cloud. This means we won’t break data localization, residency, or sovereignty requirements, and we won’t create extra compliance work. Nothing goes out—no control plane. Additionally, we can directly answer simple questions like: “This contractor reported a breach. What customer data in my environment is affected?” or “Did any of the recently off-boarded employees do something suspicious in the last month?”
Whether it’s answering questions about vulnerabilities like Log4j or understanding data flows across GCP BigQuery, AWS S3, or corporate environments, our mission is to raise data security to a higher level of abstraction—like TensorFlow or PyTorch does for machine learning. You won’t be dealing with the nitty-gritty technical details. Just ask the simple questions, and we’ll handle the rest.
DSPM is a rapidly maturing market, though there is still a lot of noise from vendors in different streams—data security companies, privacy-focused companies, and cloud security companies. All are converging around the idea that centering security around data and identity is where the big leverage is. As DSPM matures, it’s our mission to make sure that data security is not just a side effect of infrastructure security, but its own layer driving real outcomes.
