Matilda Bailey has spent her career at the forefront of the networking revolution, witnessing firsthand the transition from rigid, hardware-defined perimeters to the fluid, software-driven ecosystems of today. As a specialist in next-gen cellular and wireless solutions, she understands the unique pressures that multi-cloud deployments and SaaS sprawl place on modern infrastructure. Her perspective is shaped by the reality that data no longer lives behind a firewall but is constantly in motion across APIs, edge systems, and remote user devices. In this discussion, she explores why the traditional concept of a “secure perimeter” is dead and how organizations must pivot toward a data-centric protection model that prioritizes identity, governance, and cryptographic resilience.
The conversation covers the essential shift from infrastructure-focused security to distributed, lifecycle-based controls that follow data wherever it travels. Bailey delves into the mechanics of effective governance, explaining how visibility and automated classification form the foundation of a modern security posture. She also breaks down the technical nuances of encryption and tokenization, the operational hurdles of multi-cloud key management, and the strategic necessity of building “breach-assumed” architectures. Throughout the interview, the focus remains on balancing high-level security with the performance demands of a global digital economy, ensuring that data protection becomes a driver of business value rather than a bottleneck for innovation.
In an era where SaaS platforms and multi-cloud environments have effectively dissolved the traditional network perimeter, how should security leaders rethink the concept of a boundary?
The reality we face today is that the “castle and moat” strategy is a relic of a different age of computing. In our current landscape, enterprises operate across on-premises systems, multi-cloud clusters, and edge environments with no fixed geographical or digital boundaries. Because data is constantly traversing partner ecosystems and remote user systems, the focus has to shift entirely from infrastructure security to data-centric protection. We are seeing a move toward an operating model where identity and context—not physical or network location—are the primary drivers of every access decision. This means we must apply consistent controls at the very point where data is created, shared, or processed, ensuring that the protection is as mobile as the data itself.
Visibility is often cited as the biggest challenge in distributed networks. How can organizations maintain control over their data lifecycle when shadow IT and API-driven integrations are so prevalent?
Effective protection is impossible without absolute visibility, and that starts with establishing clear data ownership models. Organizations need to define exactly who is responsible for classifying data and managing protection policies across various business units and cloud platforms. We use automated discovery tools to continuously monitor sensitive data across databases, endpoints, and even the most obscure edge environments to prevent “policy drift.” By establishing strict data lifecycle controls, we can track information from its initial creation and active use all the way through to its eventual archival or deletion. This level of transparency, supported by detailed data lineage and audit trails, is what allows a team to identify emerging risks or compliance gaps before they escalate into a full-scale security incident.
Encryption and tokenization are critical, but they can introduce latency. How do you implement these core protections without compromising the performance that users and customers expect?
It is a significant technical challenge because encryption at rest, in transit, and in use inevitably introduces computational overhead. To manage this at scale, we adopt a risk-based architecture where the strongest, most resource-intensive protections are reserved for the most sensitive and business-critical data. For instance, in high-volume analytics or operational SaaS tools, we often utilize tokenization to replace sensitive information with placeholder values, which allows the system to function without exposing the actual data. We also integrate these security requirements directly into the CI/CD pipeline as policy-as-code, ensuring that enforcement is automated and consistent across multi-cloud environments. This automation not only reduces the risk of human configuration errors but also helps maintain the high-speed throughput that modern digital businesses require to stay competitive.
Managing cryptographic keys across multiple cloud providers can be an operational nightmare. What are the best practices for maintaining control in such a fragmented environment?
Key management is arguably the most critical component of a resilient data protection strategy, but it requires a careful balance between centralized governance and distributed enforcement. You want to establish a single source of truth for key policies while allowing for localized enforcement in edge environments or specific cloud platforms where it is operationally necessary. We strongly advocate for the use of hardware security modules (HSMs), which provide a tamper-resistant environment for the most sensitive workloads. Beyond the hardware, it is essential to automate the entire key lifecycle—generation, rotation, and revocation—to minimize the chance of human error. By maintaining a clear separation of duties and a comprehensive audit trail, organizations can ensure that they retain full cryptographic control over their data, regardless of which third-party provider is hosting it.
Since many experts now assume that breaches are inevitable, how does a data-centric approach change the way a company handles incident response and business continuity?
The shift to a “breach-assumed” mindset means that our goal is no longer just about keeping people out, but about containing the impact when someone inevitably gets in. A data-centric response strategy allows us to use encryption key revocation as a defensive weapon; if we detect an incident, we can invalidate the keys, effectively turning the stolen data into useless digital noise. We also prioritize the creation of immutable backups and encrypted recovery systems to ensure that we can maintain operational continuity without having to pay a ransom or lose weeks of productivity. By using segmentation and zero-trust policies to isolate data, we can limit the “blast radius” of a breach, ensuring that a compromise in one API or microservice doesn’t lead to a total collapse of the enterprise. This level of resilience turns security from a simple compliance checkbox into a genuine competitive advantage.
What is your forecast for the future of data-centric protection?
I anticipate that the next few years will see a total convergence of security and data management, where data effectively becomes “self-defending” through deeply embedded metadata and automated policy enforcement. We will move away from manual classification toward AI-driven systems that can recognize sensitivity and apply the necessary encryption or tokenization in real-time as data moves through an API. This evolution will drastically reduce the compliance burden for global organizations, as auditable enforcement will be baked into the data lifecycle itself. Ultimately, the organizations that thrive will be those that stop treating data as a byproduct of their infrastructure and start treating it as a continuously governed, high-value asset that requires its own independent security layer. This transition will not only mitigate the financial exposure of potential breaches but also build a foundation of trust that is essential for market expansion in an increasingly decentralized world.
