Sergey Nivens - Fotolia
Big data and cloud computing are driving the need for more data-centric approaches to information security at large companies. Threat actors' abilities to slip past network-level defenses -- evident by data breaches such as those at Equifax -- and the need for compliance with security and data privacy regulations require a shift from infrastructure to data-level controls.
Analysts have increasingly advocated end-to-end, data-centric security models. Yet, for CISOs, implementing such an approach presents untold challenges. At large organizations with well-entrenched network security programs, moving to a data-centric security model can be especially complex.
Awareness of the need for better data-level protections has grown in recent years mostly as the result of data breaches. Though security spending worldwide has spiked sharply and will exceed an estimated $86.4 billion this year, according to technology research firm Gartner, data breach numbers have not declined and instead appear headed in the opposite direction.
Numbers maintained by Privacy Rights Clearinghouse show that by the end of August 2017, more than 10 million records containing personal information were exposed, compared to the 11 million records that were compromised in all of 2016.
The explosion in data at many organizations has only exacerbated the trend. Companies today collect more data from more sources than ever before. Often, the data is distributed across on-premises and cloud computing systems and on partner and supplier networks. The traditional network perimeter behind which most enterprise data resided has all but gone, and users now have the ability to access the data from anywhere and at any time via laptops, smartphones and other mobile devices.
Ken KrupaCTO, MarkLogic
For organizations covered by regulations such as PCI DSS, HIPAA, the Gramm-Leach-Bliley Act and, soon, the European Union General Data Protection Regulation, the trends pose enormous compliance challenges. The distribution of data and the many ways in which it can be accessed has made it more challenging to prevent unauthorized and excessive data use and insider abuse. Similarly, bring your own device (BYOD) and the mobile explosion in general have heightened the risk of data leaks via unsecured and malware-infected devices and insecure cloud file storage and sharing services.
In this context, end-to-end data protection means not protecting just specific endpoints or data sets, said Christopher Pierson, executive vice president, general counsel and CSO at Viewpost, an electronic payments and invoicing service in Maitland, Fla.
"Security must be able to protect data wherever it is being used, viewed or saved," he said. Organizations need to implement measures for controlling underlying access to the data -- knowing where it is moving, protecting it in transit -- and for strictly controlling and reviewing user access rights.
Examples of such measures include digital rights management (DRM) systems, tools for encrypting data in transit and during storage, and data governance and risk management technologies that enable auditing and logging of all access to data and documents stored on premises or in cloud instances.
From creation to destruction
The focus should be on end-to-end data protection -- from the moment data is created through its entire use lifecycle to its eventual destruction, said John Pescatore, director of emerging security trends at the SANS Institute.
From an operational standpoint, that means a lot more than just data encryption and data masking, which is what many organizations assume end-to-end data protection is all about, he said. Instead, data-centric security is also about things like data discovery, data classification, access control, authentication, user and usage monitoring, and auditing. Processes are also needed to ensure data minimization and secure destruction of data after its lifecycle.
It's important to consider data security as an intrinsic and enabling component of all business processes, said Ken Krupa, CTO at MarkLogic, a NoSQL database vendor headquartered in San Carlos, Calif.
"Most people think about data security from the perspective of hiding data," Krupa said. "It's quite easy to secure data if you lock it up to a point of rendering it nearly inaccessible. However, the value of data comes from the ability to share it safely."
Data discovery and classification
To implement effective data-centric security controls, CISOs first need to know where their sensitive data is and identify the data sets that need to be protected. The proliferation of mobile and cloud computing services and the adoption of practices like BYOD have resulted in enterprise data becoming scattered across systems that the IT organization often is unaware of or over which it has little control.
Multiple tools are available that can help enterprises search for, classify and inventory such data, Pescatore said. This is especially true in the case of structured data sets such as credit and debit card numbers, Social Security numbers, birthdates, addresses and phone numbers.
Data classification tools can help automatically tag individual data elements with descriptions about their sensitivity so it becomes easier to assign levels of protection. Such tools can help an organization quickly separate sensitive, confidential, public and internal data, allowing different security policies to be applied to the data sets. Examples of such tools include those from Varonis Systems, Titus and Code Green Networks, which was acquired by Digital Guardian in April 2017.
"Classification works very well for structured information. Many compliance regimes, such as PCI, are all about structured data disclosure," Pescatore said. But existing technologies do not work as well when it comes to identifying and classifying unstructured data, such as intellectual property and trade secret information, he cautioned.
Mergers and acquisition often compound the challenges involved in implementing a data-centric security model. Typically, security teams are brought in on the back end of the deal and have little opportunity to review whether the integration of another system or addition of more users will cause problems. According to Pierson, services like cloud-based single sign-on and other federated identity stores, including technologies such as Active Directory, can help mitigate some of these issues.
Protect data in the cloud
The broad adoption of cloud computing services, especially cloud applications, means that end-to-end data protection must include securing data assets stored with a cloud application.
Since corporate data is often stored within unsanctioned shadow IT applications, the discovery phase to ultimately classify data starts with identifying those applications, the data associated with them and which users are accessing the associated data assets, said Doug Cahill, senior analyst at the Enterprise Strategy Group.
From a cloud-discovery standpoint, many cloud access security brokers (CASBs) offer the functionality required to execute the data discovery phase and enable visibility into not only what cloud apps are used, but also the types of data that are being stored, he said.
Data loss prevention (DLP) controls are another essential component of a data-centric security model. Numerous DLP tools can help prevent data leaks by monitoring network traffic for data elements that match specific patterns -- such as a payment card or SSN -- and then either blocking or quarantining the traffic for further inspection. Mature DLP technology is available from vendors such as Symantec, Intel, McAfee, Digital Guardian (formerly Verdasys) and Microsoft.
As part of the DLP strategy, organizations should also implement security policies to control not only the types of data users can access but also what privileges they have with that access. "As always, a least-privileged model should apply," Cahill said. "That is, the least amount of users should have the least amount of privilege to the least amount of data."
But in implementing such security policies, organizations need to be careful about not being so restrictive as to impede collaboration. To address this requirement for cloud-hosted data, some organizations have begun using CASBs for DLP and then DRM software to essentially wrap files with access policies to secure the external sharing of content, Cahill said.
Using encryption to control who can view and modify data is another best practice, but one that also needs to be implemented in a fashion that does not impede end-user workflows, Cahill added. Important considerations here include thinking about format-preserving encryption to maintain functionality, key management and custodianship.
Assumption of least privilege is especially important from an insider-threat perspective. Database administrators (DBAs) are assumed to be safe and trusted hands and are often given elevated access to the data, Krupa said. However, with insider threats being a real concern, databases should no longer operate under the assumptions that DBAs need the keys to the kingdom to get their work done.
"Though [this may sound] counterintuitive, in reality, a DBA might often be considered the person requiring the least amount of data access privilege from a business perspective," Krupa said. "This is where things like data encryption and separation of responsibilities provide the tools necessary to implement such policies."
Ultimately, ensuring that security protections travel with the data or documents is critical, according to Pierson. "But the fundamentals of identity, access and management relating to access, authentication and authorization are also important," he said.
These fundamentals can often be achieved in a cloud-based world with a great degree of precision, Pierson added. The number of tools that integrate with cloud instances to monitor data access, provide auditing, and add in behavioral analytics are increasing in sophistication.
"Key controls of solid authentication -- dual factor -- auditing, cloud service brokerage controls, encryption, and behavioral analytics controls are essential," he said.
Why enterprises can't ignore the EU's new data protection rules
Learn more about converged data protection in the cloud
More tips to balance information security and digital privacy