Unlocking Data Protection: Vishnu Varma on Cybersecurity Challenges Artwork

Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

Unlocking Data Protection: Vishnu Varma on Cybersecurity Challenges

December 01, 2025 • Joe South • Episode 214

Send us a text

In this episode, Joe sits down with Vishnu Varma to explore the evolving landscape of cybersecurity and data management. Vishnu shares his journey from India to the US, detailing his experiences at Cisco and the rise of cloud security. They delve into the challenges of managing vast amounts of data in the age of AI, discussing how BonFi AI is innovating in data security. Tune in to learn about the importance of context in data protection and the future of cybersecurity in a rapidly changing digital world.

00:00:19 Introduction to Vishnu's Journey
00:00:30 Entering the US and Cisco
00:02:18 Cloud Security and AI
00:02:48 Data Governance and Challenges
00:08:47 The Expansiveness of Cloud
00:11:00 AI's Appetite for Data
00:12:11 Data Security in the JNI Era
00:14:29 The Importance of Context
00:16:13 Data Used by Enterprises
00:22:24 Conclusion and Future Trends

https://www.bonfy.ai/

Bonfy.ai
Bonfy ACS is a next-gen DLP platform built for the AI era.

Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Support the show

Follow the Podcast on Social Media!

Tesla Referral Code: https://ts.la/joseph675128

YouTube: https://www.youtube.com/@securityunfilteredpodcast

Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast

Affiliates
➡️ OffGrid Faraday Bags: https://offgrid.co/?ref=gabzvajh
➡️ OffGrid Coupon Code: JOE

➡️ Unplugged Phone: https://unplugged.com/
Unplugged's UP Phone - The performance you expect, with the privacy you deserve. Meet the alternative. Use Code UNFILTERED at checkout

*See terms and conditions at affiliated webpages. Offers are subject to change. These are affiliated/paid promotions.

SPEAKER_00: 0:53

How's it going, Vishnu? It's great to get you on the podcast. This is the second time that Bonfi, you know, has been on the podcast and we're talking about it, whatnot. So I'm really excited to see the product and dive into it and everything under the sun, right? Absolutely, Joe. Happy to be here and looking forward to the days. Yeah, definitely. So, Vishnu, why don't we start with you telling my audience, you know, how you got into IT, how you got into cybersecurity, right? Like what does your journey look like?

SPEAKER_02: 1:26

Absolutely. So, Joe, I came into the US about 25 years ago from India. I did my engineering in India. And that point in time, like a lot of my classmates and we wanted to pursue higher studies into the United States and got admission into one of the universities over here, the North Carolina State University, the Wolfpack, go Wolfpack. And then came here, did my computer networking. Actually, my background was electronic engineering, and then shifted at that point in time, you know, with all the dot-com thing that was going on back in the turn of the century. We uh, you know, obviously decided to go into deeper into the networking aspect because it takes a lot of infrastructure uh to build all the uh all the e-commerce based on. And at that point time, Cisco was was just taking off, right? So that just after doing my my master's, my first job was at Cisco in in Silicon Valley. So started as a coder, a software engineer at heart, got into the bits and bytes of uh of packets, TCP IP, and all of the good stuff. And then very quickly, you know, realized that what I really wanted to do was to get a good sense of not just one vertical of technology, or if you if you were to look at the OSI stack, you start with the infrastructure, get into the networking, get into application aspects and identities and then data, right? Obviously, everything writes on Ryzen Data. So I have been fortunate enough to explore all of these, in fact, you know, starting at Cisco with the networking aspect of things, moving into application and cloud. You know, cloud was really taking off, and F5 was doing some amazing stuff, rolling, helping application developers, DevOps was taking off to roll out applications securely in the cloud. And then all of a sudden, you know, cloud security became the next big thing. People started talking about uh, you know, not just CasPs and SASE, but also CSPM, Snap was taking off, identity security became hot because now you're dealing with multiple clouds, multi- multi-cloud architecture, and then very quickly realized that with the advent of Gen AI, data is now the strongest currency, right? So from cloud security, identity security became really hot. And then because of the recent trends that we are seeing with Gen AI and AI security, with data at the centerpiece of all of that movement, uh, we have to really take care of data governance and hence, you know, uh got together with with Giddy and and Danny. Danny was at CyberArc when I was doing identity security, and then I obviously was just curious as to what Danny is up to along with Giddy and and hence decided to join the forces. Huh.

SPEAKER_00: 4:09

Yeah, that is a it's a really strong background in terms of like a variety of strong experience, you know, within within the different domains, which you know, I always tell people like when they're when they're trying to get started in IT or in cybersecurity, you know, I always tell them, like, you want to get as much experience as possible in as many different domains as possible, right? And and you know, every everyone always wants to like get into cloud security specifically, because that's like the big, you know, that's kind of like the big overarching, you know, umbrella now, right? Like infrastructure security is like that old, you know, that old thing. Anyone can do infrastructure security, right? But figuring out the cloud is a different beast. And you know, I I still always tell them, like, hey, you need to know, you know, everything on-prem, like that's when it's easy, right? Like, you shouldn't be just jumping straight into the cloud, like, yeah, you can go and get you know your AWS Foundation cert or your Azure Foundation cert, all that sort of stuff, but you need that strong, diverse background before you start playing in a in a field, right, where like anything can be built at any scale with within seconds. You know, like how in the world do you control that? Because on-prem, that server's only gonna hold so much, you know? Like there's only gonna be so many resources for an on-prem server. But in AWS, if you tell it, hey, spin up a million containers, I mean, it's not even gonna think about it. It's not gonna ask you to confirm, like, hey, you sure you want a million? It's gonna be like, no, okay, we're raking in the money now. Let's go spin up a million for this guy, whether he wanted it or not.

SPEAKER_02: 5:58

Absolutely. And as I tell my son, he he's now all into wipe coding. I said, dude, first, first figure out your basics, get into Python, learn, learn some data structures and object-oriented principles of object-oriented programming, and then you know, you're welcome to dive into wipe coding and and do the do the things the modern way, right? So, similarly, very similarly, getting that diverse background into how things actually work, how infrastructure and getting that rolling out things at scale and not losing sight on performance, and then moving into infrastructure as a service and platform as a service, right? You know, I've I've also seen days when even on-prem people were rolling out uh platform as a service through OpenStack, uh, infrastructure and platform as a service, which is sort of the promise was to bring a sort of like a hosted private cloud with a similar experience as or you know automation, you know, as AWS was was promising at that point in time, right? But eventually, you know, if you have to really do things at scale securely, you know, without compromising security and user experience, cloud is the way to go. And under the hood, it is all those those basic fundamentals that you've you've learned across across the stack, as I put it.

SPEAKER_00: 7:12

Yeah. Yeah, no, I mean, like everything in the cloud is a totally different scale, you know. I mean, it's it's hard to even think about that. Like in cloud security, you know, it kind of started for a brief stint with like vulnerability management, right? And then everyone kind of started to realize, like, oh wait, like these vulnerabilities don't really matter if the entire network is configured wrong, you know, and so like that's where kind of like the idea of CSPMs came in and started to like augment that, right? And now now in cloud security, I mean, there's so many acronyms, I barely even keep up, you know. I mean, yeah, yeah, yeah. And I'm like a cloud security guy, like through and through. It's what I do for my day job, you know, which is probably bad. Someone, someone hearings like the director of cloud security is not keeping up with acronyms. It's like, okay, well, there's they're coming up with acronyms for stuff that already exists. So tell me what it is, and I promise I already know it, you know? That sort of thing, right? But with with the advent of the cloud and the the expansiveness of the environment, it feels like data security is a significant problem that we haven't really seen before. I mean, you know, I'm trying to think, right? So like back when everything was mostly just on-prem or in a remote data center or whatever, you know, like there was limits to how much data you would have. There, there was limits, like you were smarter with it. You weren't just collecting every single thing. You were collecting what you needed, and you know, the rest of it you were disposing of, hopefully, in a secure manner, right? And then the people that are dealing with petabytes and exabytes of data, you know, that was like Google. It was, you know, a handful, handful of firms, right? And I'll give you an example, right? Like I was talking with a company just a couple weeks ago, and they were talking about data security. And I asked them, you know, all right, like how much data do you actually have? Do you know? And they told me petabytes of data. And I remember, like, it kind of set me back because back in 2014, I was talking with like a wasn't a threat intel company. It was like a it was like a threat intel company before the federal government. And they were talking about having issues with storing petabytes of data and having it rapidly accessible. And now this random medical company is saying that, oh yeah, we have several petabytes of data, like it's just another day. You know, like of course, of course we have petabytes of data. It's like, man, that is an extreme amount of data for you to try and sift through and categorize and you know, building controls around it, you know. And I I asked them how they were doing it, and they said, Oh, we're not doing it at all. We just kind of hope that nothing happens, you know, you know, because like it's such a difficult problem. And I was talking to my my data security guy, and he told me, you know, straight off the bat, he's like, Yeah, this is, you know, on average, minimum an 18-month project of someone devoted to them. Like, that's all that they do every single day, 18 months, categorizing data, building policies around the data, just to secure it, just to figure out what you actually have.

SPEAKER_02: 10:41

Absolutely. And if you think about it, you know, SaaS did this, and you know, with the megascalers, sort of helping enterprises, entrepreneurs along the way, right? So petabytes of data, what at one point in time when everything was on-prem was well in control, now it's it's not, right? And even that's why you also see that even cloud security companies that started as a as a CSPM, you know, Snap took a broader term, and then they are also looking at data security as a very strong adjacency. But what we have realized at at BonFi is that most of these companies are able to look at things in silos, right? So either at data at rest, which is okay, let me just go and classify, you know, terabytes, petabytes of data, get that visibility. But then what after that, right? It is obviously a healthcare company will have healthcare data. A finance company will have finance data. And that's not surprising that's that's what they're expected to do. But but once you discover and classify and get a sense of where the data is, where the risky data is, now that thing is obviously the the elephant in the room is Gen AI and AI now, sort of that insatiable appetite that it has for data. It wants to go and sort of devour data wherever it is for from an enterprise point of view. And now it is, now you're talking about fragments of data. It's not like data at rest or data in motion. But hey, I'm I'm asking ChatGPT or Claude to go and figure out or compose an email taking customer of financial data from this file sitting in in SharePoint because I have access to that file. Now the agent is now a proxy of me and accessing that data at rest, creating something, an artifact that I'll take, either send it, consume it as is, or modify and send it in in an email or or share it as a memo, right? So now it's no longer just that getting that visibility that the traditional data security providers are promising, or not just looking at data in motion as a silo and just looking at this email has BIA data. But now what you need is a much more holistic data security solution, which does what it's supposed to do, which is to secure the business first, right? Data is one aspect or data security is one aspect of it. Obviously, other vendors are providing their domain expertise from a network security and identity security point of view. But the two main actors right now, or two main components in this day and age, is data first, and then obviously who is sending the actors, I would say. So tying this, these two elements or entities, as we call it, at WonFi, and learning about not just the enterprise, but the universe that it is existing in with all the uh the partners, the vendors that it is dealing with, the employees, the insiders, and then the risks that they they they they bring to the table as they interact with data at rest, creating fragments using Gen AI and sharing it. And then there is this other big family of data consumers and producers that is coming up are AgenTech AI and the smart applications that our enterprises are are building. The developers are hungry to build in way more smarter applications, leveraging all these intelligent models. So, yeah, petabytes of data, traditional data security, obviously they do what they are supposed to do by design, but that's not good enough when it comes to doing data security in the Gen AI era as as we call it.

SPEAKER_00: 14:25

Yeah. I mean, it doesn't seem like anything else on the market is probably even capable of keeping up with it, right? Because, you know, I've had on data security experts before, and I I think I even discussed this with Giddy, where you know, data is like the new oil, right? Like where I I wouldn't be surprised if you know countries end up fighting wars over data, right? I mean, that's a weird thing to say, it's a weird thing to think about. Right, you know, because it's so like transactionable, I guess, if if that's a word, if that's a term, right? Because you know, you can you could sell it, you could same you could sell the same piece of data, you know, thousands of times over, millions of times over. It doesn't matter. It has reusable, you know, characteristics to it. Now I'm sure eventually, you know, it would get so populated within whatever ecosystem that you wouldn't be able to sell it anymore. But you know, still like it's we're at the precipice of something, especially with you know, Gen AI and LOMs and agentic AI, you know, creating because now agentic AI is just essentially out there like creating new data for its users. Absolutely. Yeah. Where it would have used to take, you know, a human to interact with a website or a payment system to do it. Now a bot's doing it in you know 10 seconds, five seconds, right? And then moving on to the next one. Like that's that's creating data at a scale that we haven't even thought of.

SPEAKER_02: 16:04

Yeah, I mean, the the volume of data is is is absolutely something that that is that is happening. It's it's not something that that is yet to happen. It is happening. But what's more important, Joe, is that you know, obviously, data without context is is not as interesting. It's not as from a data security analyzer like us, you know. So so you talk about data and and how it's going to be important, but even more important is what could be something sensitive for one business may not be sensitive for another business. So looking at data at scale, volume that that is being generated at in context of the business is the key problem to be solved, right? And nobody is actually doing that effectively. Right? We everybody, it's it's an overloaded term these days that hey, contextual intelligence contexts have been around for the longest time, right? Like even at Cisco, when I was there doing network security, folks started talking about, hey, where's the application context? Because you're using Cisco gear to to transfer packets from point A to point B, but for an application, right? Similarly, you know, talking about identity security, you cannot be looking at identity security just as a silo, but but the various contexts that come into the picture, very similarly, you you bring all of these things together and they actually form context for data as well. Because at the end of the day, data is serving the goals of a business, the goals of entities that are actually consuming and producing it. And these days, obviously, in in addition to the human entities, now there are machine entities that are equally, if not more, hungry for data in order to consume more intelligent stuff and in in in order to help the enterprises meet their goals.

SPEAKER_00: 17:55

Hmm. Do you think that this is kind of this is the last question before we like kind of dive in and take a look? Do you do you think that now with Gen AI and just how the cloud is and everything? Do you think that the scale of data that I talked about, you know, with like Google, where Google is operating on a scale of data for decades that no one's ever even seen, right? I mean, they're they're coming up with new names for the amount of data that they're getting. And this was, you know, a decade ago, two decades ago, like it was like that. Do you see the same thing now happening, but to like everyone, basically? I mean, is everyone starting to get to this point where you're generating so much data, or you could generate so much data that it's basically unheard of or unseen, you know, outside of like the big tech companies?

SPEAKER_02: 18:55

Absolutely. Even forget about enterprise. I would say even at a personal level, the amount of data that we are generating is probably I don't have exact statistics, but probably are the same level as what enterprises were producing a few decades ago, right? So with the amount of data that that we are obviously possibly uh producing and consuming, which are humanely possibly possible, but also talking about the sort of data that is being generated and consumed by AIs, but also we talk about universal intelligence and AGI and all of that. Imagine human population getting doubled and tripled because each of these identities, non-human identities or machine identities, will have their own memory, will have their own context, right? So just like you and I, we have all sorts of stuff in our brains, like with all our experience, the knowledge that we gather. Now each of us, now create a clone of each one of us, just as a very simple math, and each one of those machine identities also uh having access to that data that we have not normally have, but also storing that as memory and storing that the those historical contexts. We're talking about uh you know humongous amounts of data that that we'll all have to you know manage and obviously secure as well.

SPEAKER_00: 20:21

Wow, that's crazy to think about. I didn't even I mean I didn't even think about it like that, right? Where potentially the AI agents are learning from prior experiences, you know, probably like under the guise or an understanding that it makes it more efficient, you know, it's better at what it does, it learns from you, you know, yeah to serve you better and whatnot.

SPEAKER_02: 20:45

And like with the the my chat GPT, the sessions that that I have. So not obviously the prompts are interesting, the responses are interesting, but also over many, many sessions that I've had with Chat GPT, for example, it knows me. Right? It knows my my you know areas of interest, what I'm usually looking for, you know, my my parameters, my attributes that I that I look for in in products and technologies. So it's not like your chat GPT will will be catered to your preferences and your requirements, right? Similarly for me. So it's it is going to be, I would say, a human population quadrupled, right? And and then imagine the amount of data, the amount of intelligence, and hence the amount of security requirements that will be required. So it's just just just fascinating.

SPEAKER_00: 21:39

Yeah, that is a really interesting way of looking at it. I mean, it makes me feel like it's like a step away from Skynet, you know. Yeah. Some terminator sort of situation.

SPEAKER_02: 21:50

Absolutely. There's an and that's why knowledge is the gold mine, right? So the day the how much you know about the entity, that entity in our case, let's say enterprise is an entity, how much you know about that entity, and then superimpose that with the data at rest in motion and use, and then you'll be able to really come up with some accurate risk assessment, right? And not just looking at the the one-to-one mapping that I gave a few minutes ago about the chat GPD knowing about me is exactly how BonFi think of BonFi as, you know, BonFi knows ACME as one enterprise and it knows its characteristics, its attributes. And then, you know, BonFi knows knowing about any other enterprise in a different vertical, with different standards, with different compliance requirements, and then looking at data through those lenses. So that's that's where it's not just about data address and motion and use. It is data as being used and consumed by an enterprise through its human and machine identities and entities. That's where the the real solution lies.

SPEAKER_00: 23:00

It's really interesting. Why don't why don't we dive into you know the actual process and the pudding, right? Let's let's take a look.

SPEAKER_02: 23:09

Cool. So basically I'm logged into the the BonFi portal. It's a multi-tenant SaaS solution. What that means is every customer of BonFi gets they they get their own tenant on on the BonFi infrastructure, and they log in, you know, we have different roles, you know, administrative roles, analyst roles. And if you see the GUI itself on the left side, it's basically divided into four sections. The first section is more about visibility, giving a very strong sense about the visibility into the risks that Kevin Enterprise is exposed to, but also the risks from a data point of view, but also from entities point of view. We call it ERM or entity risk management. And then the dashboard is overall coverage of how Bonfi is looking at data and surfacing some of the major risks. The middle portion over here is basically the infrastructure, the plumbing. We obviously connect to a lot of data repositories and enterprise data stores because as we mentioned we spend a lot of time and and a lot of effort goes into learning about the enterprise, what we call as the knowledge graph, and we'll we'll come to that. So through the plumbing, we not only uh have connectors to look into and learn about the enterprise, but also tap into the various channels, right? Whether it's it's a data in motion, which is an email connector, or uh looking at data at rest. For example, a lot of our customers are Microsoft 365 customers are looking at uh data at rest in SharePoint. And then the knowledge graph is basically the what what we know about the enterprise. The various organizations that it deal deals with, the people that it deals with, you know, segments will have different volumes. Uh so if you're talking B2C, we're talking about millions of customers that this particular enterprise might be dealing with. You know, we learn about the employees, the identities and entities connecting to their enterprise identity directory for for instance, learning about the groups because a lot of uh enterprises do access control to data and applications through through groups. So learning about uh groups and and what comprises those groups is also an important aspect.

SPEAKER_01: 26:01

And then the fourth section is basically about just doing operational stuff within the application itself.

SPEAKER_02: 26:12

So those are the four sections, and let me dive deeper into the connector. So this is this is where we get started, right? So uh any typical enterprise customer would first onboard us by by helping us connect to their identity uh directories, for example, right, through through intra, right? A lot of our Microsoft 365 customers have most of their users and employees, guest users or employees in their identity directory. So that's where we connect to, and then we start connecting to other learning sources. For example, we learn about uh their customers through the CRM system. So Salesforce is one that we support, we have uh support for other CRMs such as HubSpot as well.

SPEAKER_01: 27:05

So this is the IAM from a broad scope.

SPEAKER_02: 27:11

So this is the IAM where we learn about employees, this is the CRM where we learn about their customers, uh and then we talk about and by the way, the CR through through CRM, we're not just learning about customers, but also a lot of these connectors happen to be both a learning connector as well as an analysis connector. What I mean by that is we use that connector to learn about the enterprise, but also looking at the content, for example, in Salesforce, we're talking about cases that that their customers are raising, support tickets, comments, and in those. So though all of that is interesting to us because uh sensitive data might leak the organization through any of those channels. Right? And then there are uh data in motion connectors, such as, for example, the the 365 mail, where we are looking at at emails in real time, SMTP server where we're looking at uh emails that are being managed by SMTP servers as a standard in in real time as well. SharePoint is where the data lives at rest, right? So we we are able to connect to uh pretty much all of the the sites, the SharePoint sites. We we can go at an individual OneDrive level and look at data, various folders and all of that. And what's interesting in all of this, as we are doing this, we are keeping the access model in view as well. What that means is when we're learning about a document in SharePoint, we are also aware of uh who has access at what level, at what privilege level to the document. And as and when those things change, we are able to determine the risk, not just through the from a data content point of view, but also access control point of view as well. And that's where the the whole thing about content management meeting contexts, in this case, for example, access control, you know, comes into the picture. So those are the connectors sort of learning as well as looking at data at rest and data in motion. And then we're talking about policies. So this is where you know you're applying your specific requirements from an enterprise customer point of view, where I would say the enterprise knowledge or the business knowledge means meets business logic, right, from a from a risk point of view. So obviously you are able to look at uh things such as you know how you're looking at risk from a customer trust point of view, right? Are you looking at mixing customer information? So if you are let's say in healthcare, it's very, very important that you're not leaking the information about one customer to another customer, right? So you can design those policies as a requirement and look at a category of risk such as customer risk, uh customer trust, which which is not possible if you just look at the content and and look at just the risk associated with let's say PII, right? Because that's Point in time, you're not aware of the relationships that you should consider when you're analyzing for us. So that's that's where the policies come in. Pausing there for a second and see if you have any questions.

SPEAKER_00: 31:05

I'm not sure. So like looking at the policies, you know, when when you mentioned that you could see if a user has you know access to it or a group or a role has access to it, can you then go you know straight from like the policies or at least the solution and make the correction and then it updates it, you know, in Azure or AWS, whatever it might be?

SPEAKER_02: 31:32

Yeah, so that's the the that's the beauty of it, right? So we as I forgot to mention, but there is an automation piece where we can actually automate some of the remediations that we believe should be available out of the box to customers. So for example, if we find that a document has risky content, then not only can we provide automation to notify the right folks, but also provide access control through automations where we can go and set sensitivity labels, for example. In this case, now that we are able to determine the risk of a of a particular document in context of not just the PIA, for example, but also relationship-based risks, such as uh customer trust issues or intellectual property leakage, because you're sending uh a piece of content to a customer who does not have NDA. So now we can set sensitivity labels in purview given that knowledge. We can also revoke certain access controls. So, for example, if we if we're looking at Salesforce, for example, we can go reach out into the Salesforce environment and cloud and make changes to the access control of a given piece of asset in Salesforce. So absolutely not just detecting risk, but also providing automated remediations based on the risk that is assessed, so that customers can go and make certain controls and changes to those in those sources as well.

SPEAKER_00: 33:24

Is it also making like recommendations of what to change? Because you know, I'm trying to think of like how this compares to like let's just say purview, for instance, right? Because I I feel like that's probably what everyone would ask when they're when they're looking at a solution like this. Well, why don't I just go with with purview, right? And and how does this you know offer me more capability than purview and and this and that, right? So that's just where I'm approaching it from like you know, what I'm thinking of.

SPEAKER_02: 34:00

Absolutely. So, and this is what I alluded to a little a while ago, that purview obviously can look at data, like can look at documents in in SharePoint, look at you know, based on their static policies and based on regular expressions that you can have in in their DLP policies, uh looking at, you know, for example, passport format or credit card format or social security numbers and all of that. So it can absolutely detect those risks in the Microsoft ecosystem, right? What it cannot do is basically look at that risk in context of uh let's say if this, for example, if I'm sending an email uh to a doc customer uh and I'm sharing some sensitive information in the email, it can uh you know be going to a customer with whom I have NDA. So it's it is it is absolutely fine for me to send that level of information. What Perview will do is it'll detect that sensitive information as leaving the organization and flag it as a risk, right? What we'll do is hey, this is we do detect some sensitive information leaving the uh the organization, but it is going to a customer who we know about through the discovery that we had from Salesforce and our accessibility to the various attributes that that customer has in our system. And we we know that we have an NTA with that customer. So putting those things together and then coming up with the risk assessment is far more accurate than what purview is able to do in the limited scope from a data boundary as well as from a risk assessment point of view that that it has the intelligence to do.

SPEAKER_00: 36:05

Oh, so you're able to build in context behind the data for your environment. Whereas like purview is kind of like cut and dry, where it's like, is it sensitive data or is it not? Does it include a social security number or does it not? You know, it doesn't even care like where it goes or where it lives, it's just kind of cut and dry like that.

SPEAKER_02: 36:25

Exactly. And we provide a very smart summary. So let's say this is this is how we are looking at an activity. So what I'm sharing right now is an activity analysis. So everything that we analyze is is uh presented in the system as an activity, and then you look at the overall risk of that particular activity, you can look at the content that was you know, you can look at who sent this email to which recipients, and then you can look at the content. What's more interesting is let me go back to the overview tab. You can in one shot look at the various policies that were applied. So you can look at customer trust for example, uh, which again brings in those relationship aspects, whether the customer that I'm sending this email to, am I mentioning other customers with whom I may have NDA, which thereby I'm violating that trust that I have with the other customer, for example, that I'm referring to. The intellectual property, am I discussing anything sensitive with this customer that I don't have NDA with? And then obviously the the set of checks that that you would provide or check for, for example, privacy. But even within privacy, for instance, traditional data security DLP players will look at privacy. Hey, is there a social security number or credit card number? What we'll do is, hey, is there a person whose address is mentioned, and that person's address is in California? You know, I don't have an NDA with that person, or this person is not even on the email thread, and that this person is because he his address is in California, I'm in violation of CCPA, right? So putting all of those things together and looking at all the properties, all the contexts of entities that are involved in a particular conversation, that's how you come up with an accurate sense of the risk involved.

SPEAKER_01: 38:44

Where or how is that context kind of configured? Absolutely.

SPEAKER_02: 38:50

So we have let me actually go to the insights tab. So this is where we you you can look at the insights from how the customer would look at it from a runtime point of view. So you can filter by what we have as is an entity linking as a stage where when we look at the data that is coming in, we then look at that from the learning various analyzers that we have. And that's where our intelligence lies, right? Where we have built very accurate analysis engines which are able to slice and dice the content that we have just received for analysis from various aspects. And entity linking is one key stage where we can extract the various folks or entities in a piece of content. So, for example, Rebecca we know is a person. How do we know that Rebecca is a person? Is by tapping into the, for example, the Salesforce Enterprise Store and learning from that you know stage when we flip the switch on, we spent a day just learning about uh the enterprise. We know that Danny is an employee with the role sending because obviously he was found in, let's say, the enterprise employee store, intra in this case. We know that Fleming LLC is an organization. And all of this is coming from the knowledge graph, right? So the knowledge graph is where you know all the entity information along with the context, their addresses, their the fact that uh they have uh NDA or not, right? The various groups that that exist in in the in the directory, the identity directory, and looking at who the members of a particular group are, right? So we know the members of group, and most interesting part is that for each of these folks, we have a very good sense of the risk of this this particular employee. So, for example, myself, I'm an employee at BonFi, and I can look at my risk, right? So BonFi traces A, it learns about the entities, but over a period of time, based on the activities and based on external risk intelligence, such as you know, other stores that are tracking risks from various other contexts, we tracked risk from a data security point of view. We put those things together and come up with a holistic entity risk. So all of these things combined gives you a much more accurate sense of when you say a data is risky or content is risky as it leaves the organization, you have to keep in mind not just what you found in that piece of content, but who was sending it, to whom was it going to, and and and the and the various contexts associated with each of those entities that were involved.

SPEAKER_01: 42:11

Hmm.

SPEAKER_00: 42:13

So you mentioned earlier that it would you know build in the context that like you have an NDA with a company and whatnot. Is it I mean it's looking at like the data stores and everything, so I assume the NDA would live in there and so it would see it and then it would automatically kind of build that context in.

SPEAKER_02: 42:38

Absolutely. So each and every organization that we we learn about, excuse me, we we let the customer tell us what we need to pull in from that uh from the data store. So another interesting piece is is if you go to the knowledge graph, we have this this concept of a mapping, right? So we and this goes back to the learning phase that we have, like the first 24 to 48 hours. The customer can tell us what they want us to learn from these sources. So, for example, if I'm looking at my Salesforce data, then I can look at the various attributes that we are allowing the customer to map from that source into us. And we have a normalized schema, what we call the the bonfi schema. So all of these numerous that we're talking intra, Salesforce, SharePoint, in future uh other connectors, they all normalize to the bonfi schema, and that's how we are able to then put together those various aspects to really find out how these things come together for let's say compliance requirements. For example, address is important when it comes to CCPA. The fact that somebody has an NDA will allow us to look at the risk at an elevated or not level, right? Hope that answers your question.

SPEAKER_00: 44:15

Yeah, no, that makes sense. Is there like a compliance pack potentially where you know, like you always see this in like CSPMs or or CNAPs where you know you could deploy like a HIPAA compliance pack and it tells you like how compliant you are with HIPAA across everything, right? Like I feel like that might be valuable to some to some companies to like get that single single view. Is there anything like that?

SPEAKER_02: 44:46

So we we do have what we call out-of-the-box policies. So, for example, if I go to the policy, you can look at customer trust-based policies. So these are all the customer trust policy. We have a privacy policies policy, which will, for example, check for location-based privacies. We have other compliance, for example, GDPR, which is very location-based requirements, might be there, for example, more stringent in the European region, thereby you know, having VII linkage for GDPR, for CCPA. So we do have some of these out of the box available, and customers are welcome to use them as is, or they can customize it based on our own what we call as content checklist or CCLs or templates that we provide out of the box. So absolutely, it is available out of the box to any customer, and based on the vertical that they serve or the location they're at, they can customize it based on those attributes.

SPEAKER_01: 45:56

Okay.

SPEAKER_00: 46:08

They're immediately like spinning up you know, compliance packs, so to speak, or these checks for you know their requirements, and then just watching it as it analyzes, how long, how long does it take to like start learning, you know, in the environment from the time I hook it up for the very first time to the time that I start getting you know valuable data from it, how long does that typically take?

SPEAKER_02: 46:35

So I always like to tell everybody that if you want BonFi to work as you know something that is just looking at data based on out-of-the-box policies at real-time data, such as email, it can be up and running in minutes, which is to say that, hey, just connect your configure your Microsoft 365 connector, tell it the mailboxes to look for the policies to apply, uh, and that in when it's looking at the emails for this account for this mailbox, it can be up and running in minutes. What will be missing in that case will be the various contexts that it would need to come up with those intelligence insights that I showed to you. And for that, you know, you need more connectors like to the Salesforce, to the HR management system such as Workday or ADP. Because it builds in that context. To build those contexts. So for that, you and we strongly recommend to obviously bring those contexts in for to reduce false positives and for for more accurate analysis. And for that, I will say maybe a day or two days at max for BonFi to connect to these sources and learn from those from those sources, build those contexts, build those relationships, know about, let's say, the what we call as cross-references, a group members, you go to the member and you know all the other groups that that particular member is entity is a member of, and then bringing those elements of risk. So if Vishnu, who's a risky user because of his activities, the last 10 activities, is a member of this group, then in turn that group becomes risky. And then when you assign that that group to access a sense of document, hence just by by that property and connection, that document becomes risky. So all building all that intelligence and and and bringing those relationships, I'll say about max two days.

SPEAKER_01: 48:41

So is it's really good to know.

SPEAKER_00: 48:47

Let's assume, right? Like, you know, I have a company, they're they're just doing data security and I am terribly, right? Where they're not limiting their users to what kinds of data they should have access to and whatnot. And this solution, you know, once it does its learning phase, and let's say it has all the context available to it, if it sees that a user has access to PII data or PCI data, but it's literally never even accessed that data, is there a way to tell that within this solution so that I can then go and like remove those permissions? Maybe not obviously the removing of the permissions in this solution, but is there a way to uh you know identify it right fairly quickly, and then I can go and resolve it, or is that just not built in yet?

SPEAKER_02: 49:45

Absolutely. So let's chop that in two stages, right? So, first and foremost, so this is the dashboard that I'm sharing, and you can see the various sources that that we are looking at data from. And we're talking about risky users, you have a pretty good sense of the risky users based on the activities that we are seeing for these users. So, for example, if next time I see an analysis on let's, for example, a SharePoint system, right? So I'm looking at a SharePoint, and this is, you know, I go to the document and it has it has the title and what I was referring to, it has uh information about the permission model, right? And you can see the various uh groups, you know, and and what kinds of privileges that they have, right? So if I see that, you know, there is a person or a group that has access to this piece of content, which I deem to be as as risky or sensitive, even if that person has not accessed this particular document, I will know that they will they can if they wanted to, because I I know that they have access and thereby I can go and take corrective measures. So that's that's what we have today, right? What we are also building as a future, and maybe in our in one of our future podcasts we can talk about that, is more visibility into more proactive controls that we can suggest and recommend to customers where you can say that hey, this user or this group has access to this particular sensitive document or a repository or a site, and they have not accessed it in some time. And thereby we recommend that they can use one of their, for example, governance access governance solution to in in in you know practicing least privilege principles, you should reduce the the access of this particular group or identity to this repository.

SPEAKER_00: 52:11

Oh, okay. Well, that's interesting. Yeah. I I don't think I don't think I have any other questions right now. Was there any anything else that you wanted to dive into? I know that we're at the top of the time, you know, right now, right? And I I try to really stay on time with everyone that I got, but was there anywhere that you wanted to take me before before we end it?

SPEAKER_02: 52:34

No, just uh just that, you know, in particular about copilot, a lot of our Microsoft customers are interested in knowing about how we enhance or augment purview to to protect or or secure their co-pilot rollout. Uh so we do we talked about labeling, auto-labeling. So we do analysis of documents and and then label stuff in SharePoint, and thereby you can you know configure your your preview uh to look at those labels, right? And hence secure the co-pilot uh rollout at a at a given enterprise, right? So that's that's one thing that I would definitely love to highlight because a lot of our customers are asking about how do we secure copilot. Given our contextual intelligence-based uh analysis that we have.

SPEAKER_00: 53:28

Yeah, no, that's a really good point. I I've seen I've seen a lot of lot of customers of mine that like come up and they're like, yeah, we want to use this thing, but and we're already using it. How in the world do we figure this out because you know so much stuff is going on that we don't even know about in Copilot or Chat GPT or you know, whatever LOM that you want to name?

SPEAKER_02: 53:54

Absolutely. And that's something that we'll obviously talk a little bit more about as we start rolling out more and more stuff to secure in general our our AI analysis, shadow AI, and all of those interesting use cases, helping developers build secure, smarter applications using models. Uh so we'll talk a lot more about that in the future podcasts.

SPEAKER_00: 54:17

Awesome. Well, Vishnu, I I really appreciate you taking the time to come on with me and you know answer all of my uh the questions. I'm sure that they're they might have been like stupid questions, but questions that I've I have, you know, as someone that has never looked at this before or anything like that, you know, it's it's interesting domain and it's gonna become more and more important, you know, in security overall, especially cloud security for sure. Absolutely.

SPEAKER_02: 54:47

I truly appreciate your time, Joe, and absolutely love you know our chat.

SPEAKER_00: 54:52

Yeah, yeah, absolutely. Well, if anyone, you know, listening to this episode is interested in connecting with Vishnu, I'll put his LinkedIn down below. And then, you know, if you're interested in learning more about Bonfi AI, I'll have the links to their site and a place that you can get a hold of them. Yeah. So thanks everyone. I really hope that you enjoyed this episode. It was definitely very educational for me specifically. So thanks everyone. Thank you.

Joe South

Host