The Importance of Data-Centric Security: Three Pillars to a Successful Strategy
From IC Insider Thales Trusted Cyber Technologies
By Brent Hansen, CTO, Thales Trusted Cyber Technologies
IT security has traditionally focused on perimeter defense – essentially building walls around the infrastructure to prevent network incursions. Unfortunately, that is just not enough for real security. If today’s Chief Information Security Officers (CISOs) and Chief Data Officers (CDOs) want to break the reactionary cycle of measures and counter measures, they must take a completely new approach: data-centric security.
As witnessed by the Solar Winds attack late last year, cybercriminals regularly breach perimeter defenses through increasingly sophisticated means. And practically speaking, data in the cloud is beyond the reach of perimeter defenses. To truly protect data in transit or at rest, a data-centric security strategy is essential.
Because of the boom in data overall, changing worldwide privacy regulations and ever-increasing cloud adoption, data-centric security has emerged as the best possible means to control data no matter where it may be – as well as making the data unreadable to data thieves. To work optimally, this protection must happen automatically, without relying on users’ intervention.
The three pillars of effective data-centric security are:
- Data discovery and classification,
- Data protection, and
- Centralized encryption key management
We’ll take a closer look at each of these pillars more closely, but first let’s get a better understanding of why perimeter security is no longer the preferred path to ensuring that sensitive data remains under authorized control.
Perimeter security isn’t keeping pace with today’s IT security concerns
Legacy data security architectures were built on assumptions that don’t hold true today. For example, it was assumed that data would reside in a data center and would be used on-premises. In those earlier times, IT owned and controlled everything end-to-end, from infrastructure to security to applications. That meant much better visibility into data and users, with better control, as well. Layers of perimeter security protected applications and limited data access using firewalls, VPN, intrusion prevention systems and more.
Today, those areas of control and defense simply don’t exist any longer. You can provide the strongest perimeter defense around a datacenter, but ultimately it won’t matter. Why not?
First, perimeter security was never intended to scale to the vast amounts of data that is so frequently on the move today. As cloud services, big data environments, and IoT technologies continue to take off, more organizations are moving more data more quickly. Often this involves third party infrastructures and partners.
All of this has led to a proliferation of data forms, including structured, semi-structured and unstructured data. Adding perimeter security creates choke points in the movement of this data, adding latency and causing performance levels that can violate service level agreements.
There’s also no such thing as an “insider” anymore. Contractors, service providers and other third parties now have the same access to data as internal employees, yet they typically may not have been vetted, and may not be able to be monitored or controlled appropriately. Perimeter security doesn’t even enter the picture for these users.
A second reason for why perimeter security is not enough is that the profusion of data types and users has made operations and regulatory compliance more complicated.
Every organization has a mix of legacy and new platforms. Movement of data to the cloud, containers, big data technologies, and the wide range of tools from multiple vendors is complicated enough on its own. Add to that the blurring of security perimeters described above, and organizations may be ill-equipped and under-funded to implement and manage unified security policies across all stakeholders, both internal and external.
Additionally, as data growth has exploded internationally it has become more difficult to comply with the increasing number of global and regional privacy regulations. Each often with their own compliance requirements, organizations can no longer fall back on siloed, legacy approaches for data security.
Indeed, today’s data environments are more complex than many could have imagined. So, it’s no surprise that organizations find that operational complexity may hinder the effective deployment of data security. In fact, CISOs and CDOs have routinely identified their greatest needs to include comprehensive and integrated data security solutions – and those solutions must provide strong protection for sensitive data no matter where it may be used or stored.
Unfortunately, legacy data security architectures fail to address many aspects of today’s data-centric world. They cannot protect against continually more sophisticated data breaches coming from increasingly determined attackers. For that, your organization must put in place a three-point strategy.
What are the three pillars of data-centric security?
Because legacy security architectures did not anticipate the many new ways in which organizations and users interact with data, these systems have failed often, and often dramatically. Today a data security posture must not only recognize data as the most valuable organization asset; it also must acknowledge that the data (and therefore data environments) is growing and will continue to do so, exponentially. That means having a data-centric attitude toward security.
Data-centric security protects the data itself, not just the endpoints, networks, and applications it moves between. Because the data itself is secure, there is no increased security risk no matter how much that data moves throughout the organization. Unlike perimeter security, which can slow down progress and inhibit the proliferation of data, data-centric security allows organizations to make the most of its data, wherever it’s stored and used.
A data-centric security approach must be intrinsic to an organization’s operations. It’s a holistic approach, and the aspects below come from practical experience working with hundreds of enterprise CISOs, CDOs, CIOs, and architects. These IT professionals are at the leading edge of data security and protection. To follow their lead in data security, here’s what needs to be done:
-
Discover and classify your sensitive data
Today, sensitive data can sprawl across multiple enterprises, and multiple cloud environments. IT security has historically had limited visibility into where data is stored and who has access to it. But distributed data can lead to potential problems ranging from breaches to compliance violations.
To discover and classify your organization’s sensitive data, first identify where the most sensitive data assets are in your on-premises data center. Then move to extended environments, such as cloud and hosted services. Search storage and file servers, applications, databases, and virtual machines. As you locate data across the organization, no matter where it exists, classify its sensitivity and importance according to internal policies and external regulations.
This step of discovering, identifying, and classifying sensitive data is essential to the process. It also has to be both repeatable and useable regardless of technology or geography. Data discovery and classification solutions typically provide visualized dashboards and drill-downs to understand varieties of sensitive data, its location, and its risk score.
The risk scores aggregate parameters including protection level, number of elements found, location, amount of sensitive data, etc. These scores and allow organizations to identify the sensitivity of data objects, such as files and databases. Data protection and risk mitigation enables organizations to prioritize remediation or to make educated decisions about third-party data sharing or cloud migration.
-
Protect your sensitive data.
Protecting sensitive data itself, requires your organization to set up a baseline encryption strategy, to mitigate data leakage and the risk of data disclosure resulting from breaches.
Once your data has been discovered and classified, it’s important to assess the risk that each data set adds to your business. Prioritize how and where to implement access controls and obfuscation security mechanisms, such as file-level encryption with granular access controls and tokenization with dynamic data masking (which we’ll describe in greater detail below). By doing so, you’re protecting the data by making it more harder for unauthorized users to access. Additionally, if the data is stolen or leaked it becomes unreadable, and therefore useless.
Encryption is among the most popular and effective data security methods in use today. Data encryption translates data into another form (cipher text), so only authorized users
can access the data as clear text.
While encryption transforms data using a specific algorithm, tokenization protects sensitive data by substituting non-sensitive data. Tokenization creates an unrecognizable tokenized form of the data that maintains the format of the source data. The tokenized data can also be stored in the same size and format as the original data. So, storing the tokenized data requires no changes in database schema or process.
If the type of data you’re storing does not have this kind of structure – for example text files, PDFs, MP3s, etc., tokenization is not an appropriate form of obfuscation. In that case, file-system level encryption is appropriate, to change the original block of data into an encrypted version of the data.
There are several considerations to take into account when determining which data encryption solution type will best meet your requirements. For example, data encryption types can be broken out by where they fit into the technology stack. There are four levels in the technology stack in which data encryption is typically employed: disk, file system, database, and application. The lower in the stack encryption is employed, the simpler and less intrusive the implementation will be, generally speaking. Unfortunately, the number and types of threats these data encryption approaches can address are also reduced when placed lower in the stack. Conversely, when encryption is higher in the stack, higher levels of security are possible, along with greater threat mitigation.
-
Control encryption keys.
Securing cryptographic processes depends on the security of the cryptographic keys used to encrypt the data. If keys for data encryption or tokenization are stolen, the data is not secure; it can be deciphered and read in plain text.
To successfully secure sensitive data, cryptographic keys must be secured, managed and controlled by your organization – not by a third-party or cloud provider.
It’s important to note also that the greater the number of siloed encryption solutions, the more difficult it is to manage inconsistent policies, varying levels of protection, and escalating costs.
The answer for most organizations it to move to a centralized key management model across the lifecycle of the key.
Key lifecycle management includes generating, using, storing, distributing, archiving, and deleting keys. Centralized key management carries with it some organizational benefits, including unified key management and encryption policies, and system-wide key revocation.
Additionally, centralized key management reduces the possibility of errors in setting permissions for users and administrators. This type approach is highly scalable, for secure FIPS 140-2 validation, and the cost savings that comes with automation. At an operational level, audit information is consolidated, and backup and recovery is simplified. And because this approach affords comprehensive separation of duties, security is actually enhanced.
Advantages of data-centric security
Data-centric security solutions enable organizations to address the security challenges that have come about by data proliferation and new global and regional privacy regulations. It prepares an organization to meet ever-changing needs.
When properly deployed, a data-centric security solution can mitigate risks and reduce costs. Labor-intensive manual process can be scaled back, which can help eliminate human error and set the stage for securing new technologies as they come online.
What’s more, data-centric security allows for all data assets to be continually monitored, which facilitates governance of security policies and control. Organizations are better equipped to understand both their data and its risk, and how to prioritize remediation. Data is secure to
move safely across multiple on-premises and cloud environments, protected from theft attempts by bad actors or advanced persistent threats.
From a legal and regulatory compliance perspective, the data-centric approach to security can help meet organizational, industry and government regulations. Infractions can be monitored, and security policies enforced, with automated reports and security audits.
The ever-increasing value of data has led to more sophisticated attacks on both networks and data. Data-centric security improves regulatory compliance while also protecting against these sophisticated cybersecurity threats.
Base your data-centric security strategy on these three pillars:
- Data discovery and classification,
- Data protection, and
- Centralized encryption key management
With these pillars in place, your organization can have the confidence to make the best use of the proliferation of data available, and be prepared to continue to adopt new technologies that are powering digital transformation.
About Thales TCT
Thales Trusted Cyber Technologies, a business area of Thales Defense & Security, Inc., protects the most vital data from the core to the cloud to the field. We serve as a trusted, U.S. based source for cyber security solutions for the U.S. Federal Government. Our solutions enable agencies to deploy a holistic data protection ecosystem where data and cryptographic keys are secured and managed, and access and distribution are controlled.
For more information, visit www.thalestct.com
About IC Insiders
IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.