Back to Blog
Minute Read

Kheun Chan, Principal Security Architect at Iron Mountain on ensuring data flows only where it's supposed to

Michael Osakwe
Sr. Content Marketing Manager

Welcome to our Data Security Innovators series, where we talk to security practitioners who are navigating the frontiers of security with novel processes and technologies. In this episode, we speak to Kheun Chan, Principal Security Architect at Iron Mountain. Iron Mountain is renowned as one of the world’s best secure information storage and management services, with 95% of the Fortune 1000 as customers of the company.

In this article

In this episode, Kheun speaks with host and Cyberhaven Solutions Engineer Silas Glines, about:

  • The nature of the compliance and security obligations that Iron Mountain has to its customers.
  • The critical importance of data classification in enabling a mature data loss prevention program.
  • Why mapping and understanding data egress is the core problem that needs to be solved by a data loss prevention program.
  • And more.

Check out the highlights below.

The importance of a DLP program for Iron Mountain’s brand

Given that Iron Mountain is a renowned global leader in data management services, data security is clearly at the heart of what enables the company. Kheun briefly speaks to this by highlighting all the industries that Iron Mountain serves and how the company earns the trust of firms in highly regulated industries.

Why do customers use Iron Mountain? It's not just because of the pricing that we offer. It's the compliance certifications and industry certifications of the customers that we serve.

– Kheun Chan, Principal Security Architect, Iron Mountain

What enables the success of a DLP program?

Kheun talks about the importance of understanding data through classification as a critical part of the process of enabling data loss prevention. This enables insights like understanding the data lifecycle of content (to determine storage and retention policies) and knowing how to consistently apply DLP policies based on attributes of the data within your environments. 

“DLP is just the end goal. To get there, you have to have a foundation for your data classification and tagging. If you don’t, then you have to backtrack and find some other way to do data discovery and classification, which is a lot of work.”

– Kheun Chan, Principal Security Architect, Iron Mountain

Why understanding “data flow” is critical for enabling DLP

In this clip, Kheun talks about the importance of understanding data egress. This means knowing where data is created, who accesses it, and where it ends up is critical to understanding whether data security policies are being followed. 

We’re a global company, so we have to have our hands wrapped around how data moves. Where does data move? Do you allow access to certain people with a specific functional role? Who is monitoring and governing data flow? What processes and controls do you have in place to monitor that?

– Kheun Chan, Principal Security Architect, Iron Mountain

How Iron Mountain is using Cyberhaven to monitor data flow

Given the importance of monitoring data egress, Kheun speaks about how Iron Mountain uses Cyberhaven to see where data is going to iterate on their policies over time.

We just monitor the company's assets and where the data should be flowing to. And that first pass gives us an idea of the first three or four use cases we should develop to make policies.

Kheun Chan, Principal Security Architect, Iron Mountain

Using Cyberhaven to distinguish personal from corporate cloud instances

A common challenge that security teams face with legacy solutions like CASBs and traditional DLP is that these tools often fail to distinguish between data going to a personal instance of some collaborative SaaS application like Google Drive or Microsoft 365. This makes it difficult for companies relying on these tools to block egress into these personal cloud applications without impacting access to corporate accounts. Kheun talks about how useful it is to be able to make this distinction to control Iron Mountain’s data flow more robustly.

Cyberhaven is great because we’re able to distinguish a personal account from an enterprise account, which is great.

Kheun Chan, Principal Security Architect, Iron Mountain

{{ promo }}

What’s the value of data lineage for Iron Mountain?

Here, Kheun talks about the first time he saw data lineage in action and how intuitive he found it. Data lineage allows security teams to act on facts about data, like where it was generated, which users have access to it, and what locations it has been stored in, allowing for informed decision-making. Data lineage has been a significant component of Iron Mountain’s program. 

It doesn't matter what the content looks like, but if you’re taking something intended for private use and making it public, that shouldn't happen. Cyberhaven lets you prevent that.

Kheun Chan, Principal Security Architect, Iron Mountain

How easy is it to enable data lineage to enhance data classification?

One of the things that amazed Kheun was how easy it was to enable data lineage and how much value that provided. While Iron Mountain has data classification and content tagging in place, data lineage is something that Cyberhaven enables automatically without setup. This has been a high-value feature with surprisingly low overhead for Kheun’s team. 

“[Data lineage] is exactly what I needed because I've worked with data discovery products before and it can be a high-maintenance team exercise just to get data classification in place.”

– Kheun Chan, Principal Security Architect, Iron Mountain

Remediating security incidents with a light footprint

There’s a well-understood tradeoff between security and convenience, with draconian security controls disproportionately impacting productivity. Understanding this, Kheun highlights how his team took a softer approach to policy enforcement and was excited to see that Cyberhaven enabled this with a just-in-time notification that allows employees who violate policy to be informed of what they’re doing and to confirm or justify their actions if they have a legitimate business purpose for doing so.

Ease of use and security are opposites, so you have to find a happy medium. Doing that required extensive testing and making sure users weren't impacted.”

– Kheun Chan, Principal Security Architect, Iron Mountain

Leveraging a lightweight but powerful security agent

Resource impact is a serious concern when deploying a security platform across user devices. Kheun talks about the extensive tests Cyberhaven passed for his team in terms of resource usage on user devices, as well as how the agent is lightweight and easy to manage.

“We had to test the platform for a long time to make sure the user wasn’t impacted. That was a major concern. Nowadays, you slap on another agent on the laptop, but you have to monitor to make sure they have no impact on performance for the users.”

– Kheun Chan, Principal Security Architect, Iron Mountain

The importance of continuous learning after deployment

Khen talks about how valuable data lineage is in enabling insights, even long after deploying Cyberhaven. Because Kheun can see, in real-time, how closely his company’s data flow abides by his organization’s compliance requirements, it’s possible to adjust policies on the fly, with ease, in order to iterate on the effectiveness of enforcement.

It’s great for me because I understand where my data is, and I understand, based on my policies, where the data shouldn’t be going. I’m actually tweaking my policies because I learned a few more things after seeing the data.

– Kheun Chan, Principal Security Architect, Iron Mountain

Seeing real impacts on behavior and an immediate reduction in false positives

In this final clip, Kheun talks about the night and day difference he’s seen in both user behavior and the reduction of false positives because of how transparent data lineage enables him to monitor data egress and employee behavior. This has played an essential role in enabling Iron Mountain’s DLP program to prove value.

The difference in our environments with Cyberhaven is night and day. We know the domains and destinations where data shouldn’t be going. I can also set up Cyberhaven to read all of my existing data tagging and classification. It’s an enhancement. If you have existing data classification, this is great.”

– Kheun Chan, Principal Security Architect, Iron Mountain

Learn from the industry’s top-notch security innovators

If you enjoyed this recap, join us for our next installment of the Data Security Innovator series by subscribing to our blog.

Watch the full discussion
Watch now
The ultimate data protection program checklist
Download now