Data-centric Security Model – A New Approach to Business Security
Data breaches have become the norm in the last few years, signaling it’s time for existing security systems to evolve. A data-centric security strategy shifts the approach from a company’s outer defences to making the data itself more secure.
Data security is an important responsibility for any organization. It’s not uncommon for companies to spend large amounts of money on securing the perimeter of the organization against various external threats to its systems and data such as hacking, malware and ransomware. However, not all data threats originate from outsiders.
Increasingly data breaches and security incidents are caused by the accidental sharing or mishandling of sensitive information by an employee or contractor, or the deliberate theft of data by a malicious insider for personal gain. Known collectively as insider threats, no organization is immune to this type of data loss.
Why? Quite simply, most of the traditional security methods and approaches are not effective or designed to protect against data breaches and incidents that originate from your trusted users or do so after the fact. Employees, contractors, and partners now have far more access than ever to a company’s data from different devices, geographical locations, and applications.
Why existing security methods are no longer effective
A strong perimeter and traditional access control are useless if the security threat comes from a trusted user with legitimate access to systems and data.
Many traditional security measures are not designed to address business collaboration tools and trusted users, leaving these safeguards ineffective against insider threats for a number of reasons:
- Your employees are meant to have access to data. Traditional systems are not designed to control what a user does with that data once they have access to it. Behaviour analysis and threat detection tools used to fill this gap can only spot a problem after it’s already happened. They can’t proactively stop it from happening in the first place. This is why insider incidents can take months to detect. According to the 2021 Cost of a Data Breach Report malicious insider breaches on average take 306 days to identify and contain – long after the damage has been done.
- Data is constantly in motion and accessible from just about anywhere. A file can be accessed from the organization’s internal network using a work PC in the office or from a home office, or somewhere else entirely, like a coffee shop or airport. That same file could even be accessed using a personal device like a smart phone or iPad, in some cases.
- The sheer number of applications being used to collaborate on, and share data pose a risk. To better control data loss and misuse, you also need to be able to control usage and sharing of files, not just access. For example, the sensitivity of the document can change dynamically as users collaborate on it, they can copy sensitive or proprietary information from it, download it, or share it with another person inside or outside of an organization via email, chat tools or cloud sharing apps. These interactions are impossible to control with the traditional security tools that were popular just a few years ago.
The classic data security approach is simply no longer effective with the multitude of collaboration channels and access points available in the modern era.
A Data-centric Security Model Provides a Solution
While the major data breaches make the front-page news, it’s important to remember that smaller security incidents happen all the time and don’t necessarily need to be reported. For example, breaches involving consumer data must be reported according to applicable regulations but leaks or theft of intellectual property do not. Data breaches, large or small, are a massive headache for a lot of industries – especially since the number of security breaches seems to be increasing drastically year-to-year, with no signs of stopping any time soon.
Now is time for a new approach to data security as a whole. The majority of existing methods and techniques attempt to secure a container that holds the sensitive data – be it servers, networks, applications, etc. However, this kind of approach is also the reason for limited control over the data once it’s in motion and being used in some sort of collaborative effort. Once in motion or in use it becomes extremely difficult to control access to it, let alone what users do with it and who they share it with.
A more modern, data-centric security (DCS) approach is designed to address these specific issues. This approach focuses on securing the data itself – not its container or storage location – when it’s at rest or in motion.
DCS has been recognized by leading government and multicoalition organizations as an important security strategy to protect highly sensitive information. NATO has adopted DCS as a core strategy to provide secure information sharing and ensure efficient data protection. Both NATO STANAG 4774 and 4778 outline confidentiality labels and metadata that must be included to properly classify information as part of a more secure, data-centric approach. The National Institute of Standards and Technology (NIST) has also recommended a DCS approach including a paper on Data Classification Practices: Facilitating Data-Centric Security Management to establish best practices.
Key Data-centric Security Controls
It’s clear that DCS has a vital role in data loss prevention across document management and collaboration platforms. A data-centric security architecture needs to encompass several methodologies and controls to perform its classification and protect role against data loss.
Since the main cornerstone of a new data-centric security framework is data – having the ability to identify regular data vs. sensitive or valuable information (regulated data, IP, company confidential, financials, HR, etc.) is an important first step. Clear identification and classification of the types of data in your organization and its sensitivity is important to ensure that the right access and security controls can be applied to the data. These classifications will vary by organization as they are dependent on their internal governance policies and by any applicable regulations (e.g., regional privacy acts, classified military data regulations, etc.).
Marking or tagging is a logical continuation of the data classification process. The main purpose of data tagging is to assign a specific label (attribute / metadata) to that specific document to allow other tools to leverage this information in order to apply additional security controls. For example, tagging can be used to mark information that is subject to internal governance policies or data regulations such as PCI DSS, GDPR, NIST, etc.
Data classification is a great system to distinguish sensitive data from less sensitive – but it only works if your company is aware of where your sensitive information is located in the first place. This is where data discovery tools come in. Data discovery tools are the engine room that bring together the classification rules and tagging process by scanning your data repositories to automatically identify sensitive data at scale and tag it.
Attribute-based Access Control
Classification and tagging are the baseline element that are used in a data-centric strategy. By overlaying an attribute-based access control (ABAC) element, any attribute or characteristic of the data, user or environment can be used to control access to data and assign appropriate protection based on the context of the request and at that specific time the access was requested. Because the ABAC methodology is dynamic, it automatically adjusts access rights and protection controls in real-time to accommodate the context of scenarios. For example, different access and protections can be applied to user trying to access the same document from home (read-only access) or from the office (full access).
At Rest and In Motion Protection
Data is no longer simply at rest, it passes between systems, applications, devices, and users. Traditional data security methods often only address data at rest and are not meant to protect it in motion (as data travels between systems, users, and devices) or in use (as data is accessed, edited, processed, and viewed). A modern data-centric strategy needs to address data in all of these states to protect against loss and misuse by applying the controls directly to the data, so these same protections are valid within the confines of the corporate network or outsize of it. Encryption, geographic access restrictions, read only access, etc. are a few of the controls that can be used to protect data as it travels.
The main purpose of encryption is to control access to data for compliance or security reasons. Encryption renders data unreadable if you don’t have the correct level of access. It’s not uncommon for encryption to have multiple layers; databases, files, hardware, etc. These are all good precautions but ensuring the data itself is encrypted is key to a data-centric strategy. This ensures that only the intended recipient or user can unencrypt the file for viewing, reducing backdoor access to files from administrators and other unwanted viewers.
Digital watermarks are used to embed information into a document for security purposes. They can be used to identify ownership, confidentiality, and track chain of custody. They are useful in pro-actively reminding users that the content they are handling is confidential and also protect against improper use. They help deter photographing of sensitive content and aid in tracking the source of a leak by embedding user information into the document that cannot be removed.
The ability to remove or mask sensitive information in a document is also an important component of data-centric controls for legal or security purposes. Widely used in government and military documents, it also has enterprise applications for IP protection and internal data barriers. For example, you may need to remove someone’s social security number from a resume that’s circulating amongst the hiring team for privacy compliance.
Data loss prevention
Data loss prevention (DLP) enforces various security policies to protect data. It works with both data at rest and in motion, and it can act as a centralized framework that can be used to track data usage and locate unauthorized data sharing. DLP is capable of protecting against both accidental and malicious data loss and it can leverage data classification to assign appropriate protections.
Zero Trust Access
Zero trust has become the buzzword in security and for good reason. It has proven an effective framework to ensure users are authenticated and continuously validated in order to gain access to networks and applications. Extending this methodology to data access has clear advantages for ensuring only authorized users can access data under the right conditions to prevent suspicious access and misuse – by sheer nature of challenging every access request.
Data governance and analytics
Governance is an important part of a data-centric strategy. It sets the foundation for a successful implementation by clearly defining the policies and standards that your organisation must adhere to from a regulatory standpoint, as well as from a business perspective. Without clear governance policies it’s difficult to understand the controls needed to protect and classify your data. You also need a mechanism to understand, monitor and measure efforts and adherence to those policies which is where analytics come into play. Depending on the regulation, you may also need auditing capabilities to document adherence and track the chain of custody of sensitive information.
The more layers that you build into your overall security strategy, the better your real-time protection will be. All of these layers play an important role in preventing cyberattacks. However, data-centric security is highly effective at protecting your most critical asset – your data – from both inside and outside threats.
Read our whitepaper on Secure Collaboration – The Impossible Paradox. It discusses how collaboration has changed the data security landscape, and how using a dynamic data-centric security model more effectively secures data as it moves across the enterprise and collaboration tools.