Irrespective of the ongoing pandemic, the decentralization of the office-based working environment was inevitable. The issue, however, was that the shift happened faster than we could have anticipated. This in turn meant that organizations across the globe had to quickly adjust their security strategies to suit a remote working environment. With employees being able to access their company’s network from any location, using any device, the traditional perimeter-based approach to data security was no longer adequate. A different approach was needed.
What is Data-Centric Security
Data-centric security is about the technologies, processes, and policies that focus on the data itself, including where it is located, and how it is being accessed and used. In other words, it is a framework that helps us gain visibility into what data is collected, stored, accessed, moved, shared, modified, and removed. Data-centric security includes the use of multiple solutions which cater to on-premise, cloud-based, and hybrid IT environments.
Data breaches happen, they are on the rise, and they can happen to any organization, big or small. Companies are collecting more data, using more apps and platforms, and users are having to remember more credentials. As IT environments become more complicated and distributed, blind spots begin to emerge. In order to avoid falling out of compliance with the relevant data privacy laws, companies must do what they can to remove these blind spots by carefully monitoring the data they are entrusted with.
The Four Gaps in Data Governance
There are essentially four gaps, or “blind spots” as I call them, that need to be understood in order to gain the visibility we need to establish an effective data-centric security model. These gaps are as follows;
Human error is still a leading cause of data breaches. Employees frequently download sensitive data onto portable drives and devices, bypass secure FTP servers, send sensitive data to the wrong recipients, share credentials with their colleagues, and more.
Once sensitive data has moved beyond the boundaries of our environment, we no longer have visibility into where it is and who has access to it. As you can imagine, this is a difficult problem for security teams to solve.
Naturally, if you don’t have visibility over your sensitive data, you won’t have control over it.
An organization’s security measures need to keep up with changing technologies and processes. The problem is, they rarely do.
Closing the Gaps with Data-Centric Security
A data-centric security model uses multiple layers of defense to ensure that employees can’t simply access or move sensitive data beyond the boundaries of their network. In other words, sensitive data can’t leave the network without sounding alarms and initiating a response. These layers include the implementation of data classification solutions, strict access controls, data loss prevention (DLP) technologies, encryption, and more. Below is a summary of each of these technologies and processes, and how they help to close the data governance gaps mentioned above.
If you don’t know what data you store, or how valuable it is, there’s little chance that you will keep it secure. A data classification software will scan your repositories (both on-premise and cloud-based) and classify data as it is found. Some solutions will also classify data at the point of creation or modification.
Classifying your data will put you in a good position to implement access controls in an informed and organized manner. As always, you must closely adhere to the “principle of least privilege” to ensure that users are granted the least privileges they need to perform their role. A term that is thrown around in relation to data-centric security is “zero-trust”, which stipulates that users (and processes) should always verify their identity before accessing a secured resource.
Data loss prevention (DLP)
Data loss prevention solutions are designed to prevent sensitive data from leaving your network. Some solutions will monitor outbound network traffic, while some will monitor the data stored on endpoints. For example, if someone performs an action that might result in the loss of sensitive data, such as when an employee sends sensitive data to the wrong recipient, the DLP solution will either block, quarantine, or warn the user accordingly.
Managed file transfer (MFT)
MFT solutions allow organizations to securely transfer files between networks using file transfer protocols that offer better encryption standards than FTP and HTTP.
Data-Centric Audit & Protection (DCAP)
A Data-Centric Audit & Protection solution will monitor your accounts and data for suspicious activity. They will aggregate event data from multiple platforms, both on-premise and cloud-based, and display a summary of events via a single dashboard. Most sophisticated DCAP solutions use machine learning models to detect and respond to events that are not typical for a given user. They can also detect and respond to events that match a pre-defined threshold condition, such as when X number of files are downloaded within a given time frame. Of all the data-centric solutions available, DCAP solutions provide the most visibility into who, what, where, and when, changes are made to your sensitive data.