IT Focus Area: security
April 9, 2020
10 Keys to Data-Centric Security
When you consider the litany of IT security headlines in the news, one thing is clear: no industry or organization is immune to cyberattacks. Even companies with mature security programs can be breached. The threat landscape is increasingly dangerous, while new technologies are distributing sensitive data farther across locations, devices and repositories.
In the past, organizations based their defenses on traditional network and host-based controls like perimeter firewalls and anti-virus software, but IT security practices are in the midst of a major transition.
The Shift to Data-Centric Security
It is no longer enough to focus our efforts on networks and endpoints. As IT changes continue to occur, organizations need to keep pace and advance their security by focusing on the data itself through the development of a data-centric security program.
A comprehensive data-centric security strategy includes the following 10 key elements:
The 10 Keys to Data-Centric Security
Below is a synopsis of each element. As organizations develop a data-centric security program, it is important to assess current maturity levels and determine which areas need to be prioritized and remediated first.
A 2015 State of Data Security Intelligence report by the Ponemon Institute found that 64% of companies don’t know where their sensitive information is. And yet in 2019, Ponemon institute reported that 55% of companies are still not investing in visibility and discovery solutions.
Data discovery tools help organizations gain visibility into the location, volume, context and risk associated with sensitive unstructured data across the enterprise―both on-premises and in the cloud. They enable security teams to properly protect sensitive data with the appropriate controls and comply with regulations.
Data governance & analytics
Data governance allows organizations to monitor how their structured and unstructured data is being accessed, provides a point of validation for company and regulatory compliance, and facilitates the identification of policy violations. Data security policies and standards that specify the processes needed to ensure access is restricted to authorized individuals, groups and third parties should be in place to provide a proper foundation. Security controls can then be implemented to help protect the data by monitoring activity and providing visibility into which data is being accessed, when it is being accessed and by whom. These controls can include data access governance, database activity monitoring and/or data audit and protection tools.
Enhanced analytics can also be achieved through data governance, enabling business users to directly access data, blend data from disparate sources together to develop new insights, and perform a range of tasks that used to require the assistance of an expert, from provisioning dashboards to applying predictive models.
Additionally, data retention policies and tools are needed to properly handle data over time and validate that it is properly disposed of. Current backup, archiving, and business continuity/disaster recovery processes and procedures should be evaluated.
Data classification policies and tools facilitate the separation of valuable information that may be targeted from less valuable information. Information is divided into predefined groups that share a common risk and the corresponding security controls required to secure each group type are detailed. Classification tools can be used to improve the treatment and handling of sensitive data and promote a culture of security that helps to enforce data governance policies and prevent inadvertent disclosure. Classification metadata can be ingested by data loss prevention (DLP), encryption and other security solutions to determine which information is sensitive and how it should be protected.
Data tagging & watermarking
Data tagging ensures that data can be found quickly and efficiently. Data is "tagged" to reflect its security classification and other associated information. For example, an account number may be governed by regulations that include privacy laws such as the Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), the Gramm-Leach-Bliley Act (GLBA), and more. If individual data fields are effectively tagged, then the resources that transmit, process or store that data inherit their risk, as well as the associated controls that reduce the risk.
Data watermarking allows organizations to apply classification labels and visual markings on email and documents to clearly identify sensitive information. It also facilitates user education with interactive policy tips to encourage appropriate handling and prevent data from being conveyed to unintended recipients.
Data loss prevention
DLP identifies, monitors and protects data in use, data in motion on networks, and data at rest in data storage areas or on devices. Through deep content inspection and a contextual security analysis of transactions, DLP systems act as enforcers of data security policies. They provide a centralized management framework designed to detect and prevent the unauthorized use and transmission of sensitive information. When properly deployed, DLP protects against mistakes that lead to data loss and intentional misuse by insiders, as well as external attacks on information infrastructure. With proper integrations, DLP can also analyze data that has been discovered, classified and tagged to apply and enforce appropriate policies.
Encryption helps to protect data by rendering it useless in the event of a breach. It can be invaluable in the effort to combat targeted attacks and maintain regulatory compliance. But the wide variety of options for enterprise deployment can be intimidating; encryption can be applied in many ways to protect disparate data types. It is often applied in layers, with each layer playing an important role. Failure to build a successful end-to-end encryption strategy increases costs, complexity and business risk.
In addition to careful consideration of data states and encryption techniques, key elements of a successful approach include collaboration between key data stakeholders, data classification, key management, product testing, access control, policies and SSL decryption at gateway points of access.
Enhanced gateway controls
Organizations need to reinforce traditional perimeter defenses and create additional layers of continuous data protection to limit unauthorized data exfiltration. Several solutions can facilitate this effort.
Next-generation firewalls (NGFW) offer application-level inspection and intrusion prevention, and they incorporate intelligence from outside the firewall to restrict available attack vectors. Secure web gateways provide additional web security measures including dynamic URL filtering, advanced threat defense, malware protection and application control technologies to address external-facing threats and help to enforce policy compliance. SSL decryption facilitates the decryption of SSL/TLS encrypted traffic for analysis by firewalls, secure web gateways, IPS, DLP, sandboxing and other security controls to protect against potential malware and data exfiltration.
Advanced email security solutions help not only to encrypt emails containing sensitive information and data, but also to defend against targeted phishing campaigns with URL link protection and attachment sandboxing. And secure file transfer solutions can protect sensitive data that is transferred daily across your workforce, systems, customers, suppliers and partners.
Identity and access management (IAM) helps to protect data by ensuring that only the right people have access to the right information at the right time and for the right reasons. Corporate networks have become globally connected webs of users and devices that are accessing IT environments wherever, whenever and however they choose, and users and their identities are the most vulnerable link. IAM solutions including access management, governance and recertification, federated identities/single sign-on, and privileged user management help to fill gaps left by the disappearance of the traditional perimeter. They help organizations ensure that people have access to what they need in order to do their job and nothing more, securely connecting users to distributed business services using identity as the new perimeter.
Organizations are increasingly re-evaluating their application portfolios and "cloudifying" traditionally internal applications. Policies and security controls aimed at securing cloud access and data will vary based on the type of cloud providers used—SaaS, IaaS, and/or PaaS.
Cloud access security brokers (CASBs) help to protect data by providing better access control, authentication and analysis of data and user activity moving in and out of SaaS cloud services. CASBs protect key SaaS-based applications, and they can orchestrate security across solutions including IAM, DLP, NGFW, secure web gateway, malware and threat emulation, and security information and event management. By correlating threat intelligence and automating response actions across several disparate solutions, CASBs can increase the effectiveness of security programs.
Each type of IaaS/PaaS cloud provider introduces a different set of capabilities and architectures that need to be evaluated to determine the security policies, architecture and controls needed to access and secure data that is stored with the provider and transmitted to and from the organization. Even though current policies and controls can potentially extend to these providers from what is being used on-premise, they will need to be assessed for viability and effectiveness.
Humans are the weakest link in any data protection strategy; even the most advanced security controls can be accidentally or intentionally circumvented by human interaction. The importance of user security awareness at all levels of the organization cannot be overstated.
In its 2019 Data Breach Investigations Report, Verizon found that 32% of breaches involve phishing. Many targeted attacks take the form of emails that leverage social engineering tactics to entice users to click on a malicious link or open an attached file, thereby triggering the attackers’ code and installing a back door for outbound communications to command and control servers.
You can reduce successful phishing attacks and malware infections by continually educating employees—especially those with access to critical intellectual property—about the threat to their company, their personal information and their livelihood. Continuous security awareness training programs help organizations in all industries inform users about the latest security best practices, deliver targeted training when and where it’s most needed and effectively change lax behaviors over time.
Protecting Your “Crown Jewels”
In today’s threat landscape, traditional approaches to securing data fall short. In order to protect data from evolving IT changes and targeted attacks, we need to shift our focus from securing networks, applications and endpoints to identifying and securing our “crown jewel” data. The development of a comprehensive data-centric security program can uniquely position your organization to protect what matters most and make security move with your data.