Data-centric security solutions have traditionally been inward facing, and have focused on protecting data within the organization’s domain as it is collected and stored. However, data is moving away from the center of the organization, not toward it, and mega trends like cloud and mobility are only accelerating the process. Effective data-centric security protects data as it moves away from the center of the organization to be shared and consumed. This includes ad-hoc relationships beyond the domain boundary, enabling secure interactions with customers and partners. (Do some background reading on IT security. Try The 7 Basic Principles of IT Security.)
The 3 Critical Truths of Data-Centric SecurityAn evolved view of data-centric security is based on three critical truths that point the way for how security must be implemented in order to be effective:
- Data will go places you do not know, cannot control and increasingly cannot trust. This happens through the normal course of processing, through user error or complacency, or through malicious activity. Because the places your data goes may be untrusted, you cannot rely on the security of the network, device or application to protect that data.
- Encryption alone is not sufficient to protect data.
Encryption must be combined with persistent, adaptable access controls that enable the originator to define the conditions under which a key will be granted, and change those controls as circumstances dictate.
- There should be comprehensive, detailed visibility into who accesses the protected data, when and how many times.
This detailed visibility ensures auditability for regulatory requirements and powers analytics for broader insight into usage patterns and potential issues, which in turn improves control.
Data: Oh, the Places It Will GoStarting with the first truth, we are able to conclude an important, pragmatic operational standard: For data-centric security to be effective, the data must be protected at the point of origin. If the data is encrypted as the very first step in the process, it is secure no matter where it goes, on what network it travels and where it eventually resides. Doing otherwise requires the trust of every computer, every network connection and every person from the point that the information leaves the originator’s care, and for as long as it or any copies exist.
Protecting data at the point of origin makes a big assumption: Your data-centric security solution must be able to protect the data wherever it goes. As the first truth tells us, the data and its many naturally created copies will go to a lot of places, including mobile devices, personal devices and the cloud. An effective solution must secure data independent of the device, application or network. It must secure that data regardless of its format or location, and regardless of whether it is at rest, in motion or in use. It must readily extend past the perimeter boundary and be capable of protecting ad-hoc dialogs.
This is where it is useful to stop and consider the many point- and function-specific data-centric security solutions available on the market. By their very nature, these solutions create silos of protection because - as the first critical truth dictates - data will reside somewhere outside of their span of operation. Because these solutions lack the ubiquitous protection necessary, agencies and businesses are compelled to erect multiple silos. Yet despite the best efforts of these multiple silos, the results are predictable: Data will still fall between the gaps. And these gaps are precisely where outside adversaries and malicious insiders lie in wait to exploit vulnerabilities and steal data. Furthermore, each silo represents real costs in acquiring, implementing and supporting the associated solution, and the operational burden of managing multiple solutions. (More food for thought: The Data Security Gap Many Companies Overlook.)
Encryption of Data Just Isn't EnoughThe second truth states that encryption on its own is not sufficient - it must be combined with granular and persistent controls. The act of sharing content effectively surrenders control over it, essentially making the recipient co-owner of the data. Controls enable the originator to set the conditions under which the recipient is granted a key to access the file and enable the option to dictate what the recipient can do once the data is accessed. This includes the option of providing view-only capability where the recipient cannot save the file, copy/paste content or print the file.
The term "persistent" is a critical characteristic of the access controls necessary for effective data-centric security. The data remains virtually tethered to the originator, who can respond to changing requirements or threats by revoking access or altering the conditions of access at any time. These changes must be instantly applied to all copies of the data, wherever they reside. Remember that the first truth states that the data may be in places the originator does not know or over which it cannot exert control. Therefore, prior knowledge of where the data resides and physical access to the associated devices cannot be assumed. Persistent control has the added bonus of addressing revocation of data on lost or stolen devices that likely will never be in contact with the network again.
Adaptability is a critical feature that simultaneously differentiates competing solutions and supports the case for a unified, ubiquitous approach. Not all data-centric security solutions are created equal, as some use encryption methods invented before mobility, the cloud and broad adoption of the Internet. With these methods, the access controls are set at the moment the data is encrypted, but they lack the benefits that come with persistent control.
Who, When and How Many Times Is Data Accessed?The third truth of effective data-centric security is the absolute need for comprehensive visibility and auditability. This includes visibility into all access activity for each data object, authorized and unauthorized. It also includes visibility into any data type, inside and outside the perimeter boundaries. Comprehensive audit data and nonrepudiation enables an organization to know who is using data, when and how often. Visibility empowers control, giving organizations the information to make rapid and well-informed responses to the relentless attempts to exfiltrate information. This visibility should extend to the organization’s broader security ecosystem, providing the data to security information and event management (SIEM) tools and operational analytics. In turn, the correlation and analysis can yield insights such as the identification of possible malicious insiders.
You will be breached. Every layer of IT security defenses can and will be compromised. Organizations can no longer rely on perimeter security to secure sensitive data and intellectual property. They must look to alternative approaches to protect sensitive information. It is not just perimeter defenses that are struggling, as many data-centric security solutions were built before mobility, BYOD, the cloud and Web-based, extra-domain interactions. Organizations must turn to data-centric security solutions that take an evolved view, fully addressing the hard truths of protecting data in today’s quickly changing and highly complex computing environment.