One thing is clear: no organization or industry is exempt from cyber-attacks. Therefore, when talking about data breaches, the issue is not about if it will happen, but when it will happen. Even organizations with hefty security budgets can be prone to an attack. Let’s take a minute to reflect on some of the most significant hacks in the recent past:
- British Airways suffered a hack attack that compromised up to 380,000 customers’ payment cards as well as personal data.
- About 143 million American consumer records exfiltrated from Equifax (a top credit reporting agency), exposing sensitive data such as Social Security information and driver’s license numbers.
- More than 500 million Yahoo user accounts hacked, revealing valuable information, including email addresses, names, date of birth, telephone contacts and passwords.
- 80 million patient and staff database breached at Anthem (health insurance giant), exposing names, email addresses, Social Security numbers, employment details as well as income data.
- Tens of millions of credit card accounts hacked on JPMorgan Chase, affecting 76 million households and 7 million enterprises. The bank reported that customer information such as Social Security numbers and passwords were breached.
And this is just the tip of the iceberg; the list goes on.
A broad evaluation into what these hacks have in common leaves you with one concrete conclusion: traditional perimeter-based approaches to security while important, have become less effective in protecting against data exposure. The numbers would be much less, if not eradicated, if the organizations involved employed a data-centric security approach to security.
But what is data-centric security all about?
A data-centric approach to security focuses on the safety of the data itself instead of just trying to secure endpoints. In the contemporary world where employees telecommute and are no longer limited to their workstation to access the corporate network — protecting endpoints, applications or networks is not enough.
What is necessary for a digital and perimeter-less world is a strategic and holistic approach that is more data-centric than network-centric.
A data-centric strategy focuses on the following goals:
- Establish the location of sensitive data, understand how it flows within an organization as well as possible risks
- Classify data along with its value to the organization
- Protect the data in accordance with the sensitivity level
- Set policies for who can see what data
- Finally, monitor the use (or misuse) of the data.
Taking a data-centric approach towards data security will allow you to focus on what really needs to be protected—your company’s sensitive data—instead of IT infrastructure which houses smaller portions of the data.
The Shift to Data-Centric Security
The approach to protect data (a company’s most critical asset) is now a de rigueur issue among information security industry leaders and marks a profound shift in how the organization’s information security will evolve in the coming years.
Additionally, given the evolving regulatory landscape, there is a need for strategies that will ensure sensitive data is safe wherever it is housed. Faced with this new reality, a comprehensive data-centric security strategy should encompass the following eight elements:
Identifying and Classification – The initial step in securing sensitive information is to know the amount of data you hold and its location. Data identification entails scanning folders and files and comparing the contents against the organization’s explanation of sensitive data.
On the other hand, classification is the procedure of tagging data file with metadata which indicates the types of data the files hold. These functions may be performed alongside each other or be handled using separate technologies. However, in each case, the aim is to locate and identify sensitive information for adequate protection.
Data Loss Prevention (DLP) – DLP monitors and protects; information in use, information in movement on networks, and information at rest in storage areas or on computers or mobile phones. It offers a centralized data management framework planned to find and prevent unauthorized use. If deployed correctly, DLPs can be very useful in providing protection against error that leads to loss of data, deliberate misuse by insiders, and external attacks on data infrastructure.
Data Visibility – Data visibility enables organizations to keep track of how their unstructured and structured data is getting accessed. It offers a validation point for the company, regulatory compliance, and comes in handy in identifying policy violations. Security policies that define the processes required to guarantee access to particular individuals should be established. With this, security controls may then be enforced to help secure data by keeping track of activities and offering visibility for the kind information being accessed, when it’s being accessed as well as by whom.
Data Encryption – Encryption will help protect data by making it useless in case of a breach. This will be instrumental in combating targeted attacks as well as maintaining regulatory compliance. Encryption can be applied in various ways to secure different data types. Often, it is applied in layers, whereby each layer plays a key role. However, there is a caveat; failing to develop a successful end-to-end encryption strategy will only increase costs and business risk. Besides a careful consideration of encryption techniques, other factors of a successful approach here include; collaboration among major data stakeholders, product testing, data classification, policies, access control, and SSL decryption at the access gateway points.
Enhanced Gateway Controls – Traditional security perimeter should not only be reinforced but also fortified with extra layers of interminable data protection to prevent unauthorized data extraction. Solutions that can assist here include: The Next-generation firewalls (NGFW) can be helpful in conducting application-level checks, intrusion prevention and integrating intelligence from outside the firewall to limit possible attack vectors. The secure web gateways can offer extra web security measures which include dynamic URL filtering, malware protection, advanced threat defense, and application control technologies to deal with external-facing threats, and assist in enforcing policy abidance. SSL decryption can assist in the decoding of SSL/TLS encrypted information for analysis by IPS, firewalls, DLP, secure web gateways, sandboxing and other security controls for protection against data exfiltration as well as potential malware. Modern email security solutions, on the other hand, can go a long way in encrypting emails holding sensitive data as well as protect users from targeted phishing attacks. And secure file transfer options will protect sensitive information which transmitted regularly across systems, your employees, suppliers, customers, and partners.
Identity Management – Identity and access management will protect data by making sure that only the right people can access the right data for valid reasons and at the stipulated time. As we noted earlier, most corporate networks are now globally connected. Users and devices can access IT environments wherever and whenever they want. While this is a great advancement, it puts users and their identifications at risk. Identity and access management (IAM) solutions which include governance, access management, recertification, and federated identities will help fill gaps left after the disappearing of the traditional firewalls. They help institutions ensure that people can access data they need to help them do their work and nothing more, safely connecting end-users to shared business services and using their identity the new security perimeter.
Auditing and Reporting – Since data volumes are expected to grow rapidly into the future, there is an urgent need for organizations to understand and document how their information is utilized and stored. Therefore, reporting and analyzing tools are indispensable for internal control. It is also a nice way to demonstrate your companies’ compliance to data protection obligations like the General information Protection Regulation (GDPR).
Continuous Education – People are the most vulnerable link in any data security ecosystem. Even the most advanced security system can be breached intentionally or accidentally through human interaction. It is, therefore, essential that end-users are aware of security measures at all levels of an organization.
Most targeted attacks will be through emails which leverage on phishing tactics to lure users to click on malicious links or even open the attached file, consequently triggering the hackers’ code and installing backdoors for outgoing communications which then command and control servers.
According to a survey done in 2015, it takes a mean of only 82 seconds before any phishing campaign receives the first click. You can significantly reduce the number of successful phishing malware infections and attacks by educating your employees continually — particularly those who have access to crucial intellectual property — regarding the threats to their organization, their private data and their livelihood.
In addition, regular security awareness education programs are a powerful tool to build the capacity of end users about the best and most recent security practices. To reduce lax behaviors, offer targeted training where and when it is most required.
The major threat in protecting organizational data is not that hackers circumvent into the system, but more about unprotected data leaking out. Furthermore, with the advent of ‘the cloud’, there are no watertight security perimeters to rely on.
It is important to focus on data security independently. In other words, instead of just concentrating on the security of the network, organizations need to address the vulnerability of the data itself, wherever it may be (on or off the network).
If sensitive information is protected (classified, tagged and encrypted), then you can be sure it will be safe wherever it goes, and where it stored becomes secondary. Whether it’s in a web drive, USB key, or laptop, it’s locked tight. It can only be accessed by a user with authenticated credentials to that particular information.
Modern organizations should shift their mindset from network-centric security oriented strategies to robust data-centric security perspectives. What say you? Leave a comment below.