When it comes to data breaches, the question is not if, or even when, your organization’s sensitive information will be stolen; but how often it is happening today? No matter how many cyber-attacks you manage to prevent, you can never assume you’re stopping them all.
Increasingly sophisticated hacking techniques, together with evolving business practices, have made it all but impossible for organizations to keep their data where it’s supposed to be. This reality is bringing about a fundamental shift in the way companies around the world think about information security. Data-centric, rather than network-centric, security strategies are becoming the norm in our new digital environment.
Why Data-Centric Security?
Firewalls and access controls may always be necessary, but they won’t protect the data you store in the cloud or share via email, any more than your home security system will protect your wallet when you’re on holiday.
The data-centric approach to cybersecurity lets you focus on what you really need to protect—your organization’s sensitive data—rather than the IT infrastructure that houses a smaller and smaller share of that data each year. By protecting sensitive information in the files and databases that contain it, you can take advantage of cloud computing, mobile technology, and other innovations without placing your organization at risk.
Putting the Pieces Together
A successful data-centric security strategy aligns technology, business processes, and user workflows in order to ensure organizational control over sensitive data at all times.
Strategy development should begin with a thorough assessment of the types of data your organization creates, processes, and exchanges, as well as the user groups and systems that interact with each data type. This will prepare the organization to answer a fundamental question: which data needs to be protected?
Each company will have a unique answer to that question, depending on its industry, business strategy, and the countries in which it operates. Definitions of sensitive data generally include intellectual property, financial data, and customers’ personal information, in addition to any data covered by a legal mandate.
After quantifying its data governance practices and future needs, your organization can begin assembling its new data-centric cybersecurity program. The elements listed below, many of which can be bundled together, represent the key components of a typical data protection strategy.
Discovery and Classification: The first step in protecting sensitive data is knowing how much of it you have and where it is located. Data discovery is the process of scanning files and folders and comparing the contents with an organization’s definition of sensitive data. Classification is the process of tagging files with metadata that indicates what types of information the files contain. These functions can be performed in conjunction with each other, or handled by separate technologies, but in either case the intent is to find and identify sensitive data so that it can be adequately protected.
Encryption: The most effective way to protect sensitive data against theft or misuse is to encrypt it using a strong algorithm such as AES-256. Companies can choose from many forms of encryption, some of which only protect data while at rest or while traveling across a network. Persistent encryption, which remains with data both at rest and in motion, is the most secure form of all.
Encryption Key Management: When an organization starts encrypting its data, it must have a system in place to ensure employees will be able to decrypt and use the files they need, without allowing access by unauthorized users. Encryption key management—the process of creating, exchanging, updating, and revoking encryption keys—can be quite complex, but new technologies have emerged that automate these previously burdensome functions.
Data Loss Prevention (DLP): Data loss prevention, also known as data leakage prevention, is typically focused on data in transit, such as outgoing email traffic. File contents are inspected (as in the related process of data discovery), and messages are either allowed to proceed or are routed for remediation based on the organization’s security policies. DLP is most effective when integrated with an encryption and key management solution.
Reporting and Auditing: As data volumes continue to grow, companies have a more pressing need to understand and document how their data is being stored and used. Robust reporting and auditing tools are important not only for internal control, but to demonstrate your organization’s compliance with data protection mandates such as the General Data Protection Regulation (GDPR).
End-User Training: No data protection strategy can succeed without proper education of the employees who create and use a company’s data. Making it easier for employees to follow your organization’s policies (i.e., automating as many steps as possible) will greatly reduce the possibility that users will attempt to circumvent the processes you have put in place.
When a company recognizes data protection as its top security priority, it frees itself from the constraints of an outdated worldview. With a data-centric security strategy, cyber threats become easier to manage, and IT security can become an enabler of future innovation, rather than an obstacle to business as usual.