How To Implement a Data Centric Security Model
With data breaches continuing to rise in both cost and number, it’s clear existing security approaches aren’t robust enough to protect valuable information assets. Today’s IT environments — characterized by hybrid workforces and data stored in repositories across on-premise and cloud infrastructures — render existing perimeter-focused security models even less effective. This article outlines why a data-centric security model is needed to effectively mitigate data breach risks. You’ll also get some actionable tips to implement a data-centric approach.
What is Data-Centric Security?
Data-centric security focuses on protecting files with sensitive information rather than the systems or locations storing those files. This model departs from traditional data security, which attempts to safeguard data from theft or misuse by implementing perimeter-based controls, such as firewalls and endpoint protection solutions, in networks and on systems. Mobile workforces and cloud computing have made these perimeter controls even less effective.
By constructing an armor of protection around the data itself, organizations can better ensure that sensitive information remains secure even when perimeter controls are breached or otherwise compromised. The degree to which current data security approaches aren’t working is undeniable:
- By September 30, 2021, the total number of data breaches for the year exceeded 2020’s total by 17 percent
- The average data breach cost of $4.24 million in 2021 was the highest ever reported in the 17-year history of IBM’s annual data breach report.
Why Data-Centric Security?
The numbers demonstrate that investments in perimeter-focused security tools and strategies aren’t paying off in mitigating data breaches. But why is that the case? Why are enterprise-grade security solutions failing to keep out intruders?
More attack vectors
The dynamic interplay of more data than ever, cloud infrastructure, and remote workforces opens up far more attack vectors for adversaries to target. The castle and moat security model worked reasonably well, but attackers have caught up and become more adept at breaching the security walls.
Some of the attack vectors that have opened up more opportunities for data breaches include:
- Targeting remote employees with phishing campaigns and accessing the network using stolen credentials or remote device takeovers
- Scouring the Internet for unsecured cloud storage
- In a big data landscape, hackers may exploit overprivileged access to sensitive data resources.
Firewalls, intrusion detection systems, VPNs, and other security tools deployed at the perimeter aren’t inherently flawed at what they do. They remain necessary as part of the organization’s overall cybersecurity tech stack but they simply aren’t sufficient to protect data from being breached. Put simply, there are more ways to get at data than can be covered by any set of network-centric tools.
Existing data security approaches fall short
A major problem with perimeter-based controls and strategies is that once the network is breached or compromised, malicious actors get access to pretty much EVERYTHING. A firewall might shield against malicious traffic, but if a hacker finds a way into the network that bypasses the firewall, its protection can’t do anything to prevent a data breach.
Mobile workforces compound this issue and further weaken existing data security approaches. Many organizations depend on solutions such as VPNs to connect remote employees to on-premise networks and access resources. The problem with a VPN is that authenticated users get unfettered (i.e., EVERYTHING) access to the network.
All it takes is getting the credentials for one VPN account for a malicious intruder to cause a major security incident. The now infamous Colonial Pipeline attack was made possible by hackers exploiting an old VPN account, the password for which was leaked in a previous data breach. With existing security approaches, once any perimeter safeguard gets bypassed, data breaches are almost inevitable.
Complex data supply chains
Organizations ingest data from multiple sources and share some of that data with third parties, such as suppliers or contractors. The result of this complex, collaborative data ecosystem is that many businesses lack transparency into where their sensitive data is and exactly who can access it.
Without tracking your data and understanding its risk exposure, depending on point perimeter controls to prevent data breaches isn’t going to work. Unsanctioned users will invariably exploit this lack of transparency to access data and use it for unauthorized purposes.
How to Implement Data-Centric Security
Data discovery and classification
Critical to the data-centric approach is taking account of the value of the information you want to protect and its sensitivity. This starts with proper data discovery and classification. Rather than attempting to cover all your data with the same levels of protection, discovery and classification helps to solidify the focus of protection on the most valuable, sensitive information.
Data discovery locates and inventories all existing data regardless of whether it’s stored on-premise or in the cloud. It’s also helpful to map the flow of data so that you know what systems it passes through. Classification then sets out rules for how to protect different types of data based on its sensitivity and value, such as PHI, PII, trade secrets, etc.
Proper access controls help to ensure that only approved users can access certain kinds of information. This access should also be controlled using contextual factors, such as the device, user role, application, or location of access requests.
The access control component of data-centric security seeks to mitigate the problem of giving default levels of trust to users. A data-centric security model puts your organization in a position to implement the principle of least privileges so that users receive the minimum levels of access to data necessary to perform their job functions.
Solid data governance is an important accompanying element here. Data governance ensures you know exactly where your information assets have been and who has accessed them. Data governance also assists in demonstrating compliance with any regulatory requirements.
Encrypt sensitive data
Encrypting your most valuable information assets, such as files containing intellectual property or PII, is an incredibly effective way to prevent data exfiltration or leakage. Even if a malicious party manages to get access to encrypted files by compromising a VPN account or bypassing a firewall, they can’t view the information within those files without the decryption key. Encryption’s ability to prevent security breaches from escalating into data breaches is exactly what’s required from a data-centric security strategy.
Encryption is such a widely recommended security practice that it’s easy to assume every organization does it. Shockingly, a recent report found that 83% of companies don’t encrypt at least half of the sensitive data they store in the cloud. Unfortunately, some businesses are deterred by concerns about key management and user friction when implementing encryption.
Atakama and data-centric security
While data discovery, classification, and access controls help to improve visibility and control over sensitive data, encryption lies at the heart of a functioning data-centric model. Encryption is ultimately what will protect information when all other security measures have failed.
Unfortunately, most existing encryption solutions don’t address the adoption barriers that deter many organizations from encrypting large portions of their sensitive data. Businesses need a better way to meet their encryption needs and to more easily shift to a data-centric model. This calls for a user-friendly, granular, encryption solution that secures files individually.
Atakama is a new approach to encryption with ease of deployment and user-friendliness as core tenets. A decentralized architecture means there is no need for central key stores, and users don’t need to remember passwords. Atakama encrypts at the file level, which is more user-friendly, more secure, and far less resource-intensive than traditional key server and HSM encryption solutions businesses currently rely on.
Encryption keys are split into fragments across physical devices controlled by authorized users. To decrypt files, users simply need to tap “Approve” on their mobile device, an experience that closely resembles 2FA. There is no latency as it takes roughly a millisecond to reassemble key shards.
The Atakama software seamlessly manages the creation, distribution, and reassembly of encryption keys. Atakama has API-based cloud integration features that enable businesses to encrypt cloud-stored sensitive data at all times.
The end result from a business perspective is a robust encryption solution that helps to achieve data-centric security, wherever data is stored. Atakama doesn’t disrupt user workflows or create additional work for administrators.
Contact us today to learn more.