Imagine this scenario: on an otherwise fine and ordinary Monday morning, your security operations center (SOC) flags a suspicious alert.
Files from a confidential vault are transferring to someone’s personal cloud storage account.
Halt! An analyst stops the flow, but some files are leaked to who-knows-where.
In fact, other than knowing the leak happened, you know nothing else: which files, who owns them, where they originated, why these and not others.
Your CISO must report the incident to the board, but can’t answer these questions you know the board will ask her.
Even equipped with modern security tools (that of course exhibit the latest shiny AI features), security teams struggle to reconstruct a chain of custody with satisfactory evidence.
Without such information, it’s difficult to learn much from incidents like these, to improve policies and procedures, and to minimize the likelihood of similar ones in the future.
Data lineage, a somewhat newer type of signal that can be incorporated into data flow policies, provides the forensics that can help CISOs answer the questions boards routinely ask.
Key Points on Data Lineage
- Data lineage helps security teams track files, actions, and users across the entire data lifecycle.
- Traditional security controls often fail to provide full visibility into how sensitive data moves between systems and users.
- Lineage records remain intact even when files are copied, reformatted, or renamed.
- The approach can improve insider risk detection, incident investigations, and policy enforcement.
- Data lineage will become increasingly important for securing AI agents and non-human identities.
The beginning is a very good place to start
Traditional security controls watch the doors and, for the most part, help identify the particularly loose ones.
But, unlike physical structures, software permits new doors to materialize — frequently more often than inspectors can discover and patch over.
Surely it’s better to wrap controls around what moves through the doors than to graft more controls onto the doors themselves, right?
Various flavors of rights-based access controls embedded into files and data objects have existed for decades, but they stubbornly remain unimplemented because of complexity and poor interoperability.
Data lineage is a simpler mechanism for devising policies that protect files and data rather than doors.
It tracks an object’s journey from its origin to its destination, recording every action and actor along the way.
Data lineage indicates the details of every action and who was responsible for it.
Even a “save-as,” which usually erases historical metadata from new copies, won’t break lineage records.
Lineage provides an immutable audit trail that allows security teams to determine ordinary, approved data flows and build policies that guard data from exposure before it becomes vulnerable.
Consider this example: a nefarious employee downloads a list of at-risk customers from Salesforce and emails it to a collaborator, who then subsequently reformats the data before uploading it to a personal Box account.
Without lineage, these are three disparate, disconnected events.
With lineage, actor and action signals remain with the file regardless of its format, providing a continuous thread of movement and intent. Lineage tracks the data’s complete lifecycle.
Lineage provides the forensic details necessary for effectively managing insider risk: companies can disrupt unauthorized flows when attackers (both internal and external) try to evade policies through name or format alterations.
The lineage graph (a visual representation of an object’s lifecycle) becomes another tool in a defender’s arsenal to accelerate the time required to reveal the root cause of an incident.
Talk to my agent
If you think it’s a monumental task to manage flows between 10,000 people, well… just wait until you need to manage flows between 10,000,000 agents!
Deploying data lineage along with systems for managing non-human identities (every agent should possess an identity) quickly becomes a requirement not only to maintain good forensics about agents and actions but also to comply with ever-increasing yet always-murky regulatory regimes across the world.
In fact, incorporating lineage into LLM training data helps ensure that training abides not only by internal ethics policies but also those external regulations.
It offers the evidence you need to demonstrate to auditors, regulators, and customers that your training data is safe, sane, and sound.
Extracting value from lineage
As with every other security product category, standalone lineage tools exist.
And combined with a pile of other standalone tools, lineage provides marginal extra value.
Standalone tools lack the capacity to exchange signals, which reduces their utility.
What good are signals from a lineage tool if they can’t influence policies that govern data flows?
Answer: none.
For security teams to make effective use of lineage — to wrap portable protection around data and files — lineage must be a feature of larger platforms that apply security policies to all data that flows through them.
Files flow everywhere: from private applications through random web sites to approved and unapproved SaaS applications, via managed and unmanaged devices.
Security teams need platforms that inspect all these flows, categorize every object, and now track every actor and action to ensure that the right people have the right access to the right resources at the right times for the right reasons.
Data is like air: it expands to fill all available space and loves to leak. It also accumulates stories to tell.
Data lineage reveals these stories, improving your company’s security posture as you strive to strike the balance between staying secure and innovating your business.