Traditionally, data protection has focused on securing the perimeter — trying to keep intruders out of systems and networks where sensitive data is stored. But with the rise in cloud computing, sensitive data can transit through or be stored in systems that are outside the traditional perimeter. Simply put, the cloud has no borders; data is free to flow anywhere and everywhere it might be needed by an increasingly mobile workforce.
Therefore, cybersecurity strategy needs to shift from trying to maintain a secure perimeter around your systems and applications to securing your data against unauthorized access. You need a data-centric security strategy.
Current Security Strategies Are Failing
Data breaches are increasing in both frequency and severity. In the first half of 2019 alone, nearly four thousand separate incidents resulted in the exposure of more than 4.1 billion records. Three of those breaches were among the ten largest data theft incidents of all time, and eight incidents accounted more than 80 percent of the exposed data. Furthermore, the research shows an uptick in both the number of incidents (up 54%) and the number of compromised records (up 52%) from the midpoint of the previous year.
While it’s common to focus on the huge breaches, it’s also worth noting that incidents in which fewer than ten thousand records were compromised make up the vast majority of breach activity. Far too many businesses erroneously believe they are too small to be targeted by cyber threats, so they fail to implement strong data security measures. But sensitive information retains its value to malicious actors even if it’s acquired or encrypted in small batches. It all adds up: Experts estimate that companies worldwide will spend over $11.8 billion to recover data encrypted by ransomware attacks this year.
Developing a Successful Data-Centric Security Strategy
As data volumes explode, it’s essential to implement information security measures commensurate with the value of the enterprise data being protected. You need to build a comprehensive strategy that focuses the strongest security efforts (such as encryption and stringent access control) on your most sensitive information.
Data Discovery and Classification
The first step is to get a comprehensive inventory all your existing data, whether it is inside your local intranet or in the cloud. After discovery, all data must be classified. Effective data classification must be automatic and based on specific rules relevant to the data and its flow. The goal is to classify all data that has value — such as credit card numbers, intellectual property or medical records — so it can be protected appropriately.
Identity and Access Management
Identity and access management (IAM) is also critical to data security. The identity of a user, along with information about their device, application, service, network location, and so on, can help ensure that data access is granted strictly on a need-to-know basis.
The most effective approach is to assign roles to users and grant specific permissions to each role. Both role assignments and permissions should be regularly reassessed to ensure they remain current. This is especially true for roles with elevated access privileges to data and services, since those users can cause significant harm to the organization.
Protection Against Theft and Loss
When data is no longer under your direct internal control, it should always be encrypted to protect against unauthorized access. Encryption helps protect data against unsanctioned users, and can also prevent authorized users from accessing the data in insecure or unauthorized ways or places. Use of data encryption should be based on specific criteria so the process is transparent to users.
Data masking is another useful technique; it obfuscates sensitive data that a particular recipient is not authorized to see.
It’s also important to implement data loss prevention (DLP). DLP solutions can protect data — no matter where it exists or how it is utilized — from leaving the protected perimeter, based on the criteria you specify.
Governance and Compliance
A robust data-centric security strategy also requires strong data governance. To secure your data, you need to be able to track who is accessing it and what they’re doing with it, with all the critical details about when the access occurred and where it originated from.
This detailed information about where your data has been and who has touched it is also all critical to proving your compliance with regulatory requirements.
