EY GISS

Data-Centric Security: Protecting data that no longer lives behind the firewall

By Sangeetha Phalgunan, Country Manager – Sales, Informatica India
Sangeetha Phalgunan

Today, data moves quicker, zipping between more sources and targets running on completely different technology landscapes than before. As a result, data breaches have become more frequent. It is clear that existing network-based data security architectures that focus on the perimeter are no longer capable of protecting the huge volume of data against sophisticated threats from both internal and external environments. It is not that there are more chinks in the firewall. It is the perfect storm of bad guys getting better, data migrating farther, and the sheer fact that data no longer lives behind the firewall.

Existing security architectures have been built presuming that data will live in a data center and be consumed on-premise. Data was earlier thought to be small, constantly monitored, accessed only by employees via the right security controls and usually at rest. However the reality today is that we have data pouring out from millions of apps in the cloud and being sent to billions of mobile devices. This makes the data anything but small, and the challenge to secure it increasingly difficult.

So no matter how strong the perimeter around the data center is, the security it offers is purely notional because it:

Ignores the movement and proliferation of data: The widespread adoption of cloud services and mobile technology means organizations are moving the data at exponential rates and volumes and none of it is protected by the firewall. More importantly, when data moves from one location to another, it runs the risk of breaking a number of data privacy laws.

Ignores what is happening inside the perimeter: When as many as 50% of the security breaches can be attributed to people inside the organization, a fortified firewall around the data center is inadequate. Irrespective of whether it is through criminal intent or simple error at work, the administrators and external contractors inside the perimeter who have access to all the data can do serious damage.

These challenges call for organizations to take a whole new approach to security and we call it – Data-Centric Security.

Data-Centric Security protects the data itself – rather than just the endpoints, networks, and applications it moves between. It means the security moves with the data as much as the organization needs it to. Instead of slowing down the progress and proliferation of data, it can empower the organization to make the most of it.

To adopt this new approach to data security, companies will have to learn four processes:

  1.  Knowing where the sensitive data resides: Only 16% of organizations today know where their confidential data resides. The ability to connect to, discover, locate, and classify sensitive data is a critical process. It must be repeatable and agnostic of technology or geography.

    2
    . Assessing its security posture: In a Data-Centric Security model, there is a need to determine the level of risk that confidential data is subject to. It means always knowing who has access to data, what they are doing with it, and what type of security controls are in place for protection.3. Protecting it: Data-Centric Security defines unique rules for different data. It means masking the data for certain users and blocking it entirely for others.4. Detecting infringements: Proactively detecting infringements is critical. It means knowing when the data is in a state that is not complying with a policy when it is in breach.

    The move to Data-Centric Security will involve a significant shift in both approach and technology for most organizations. Organizations will need to consider a few measures like:

    * Stopping the use of production data in non-production environments
    * Preventing unauthorized access to data
    * Monitoring access to data

    Organizations will continue to use more sensors, departments will become more mobile with the changed datascape and new architectures will enable them to move as freely as they need to. It will protect their data without inhibiting movement, empower openness and collaboration and allow the data to stay where it naturally resides.

    The new age of data is an exciting time for global businesses. The organizations that learn how to handle it without compromising compliance and security will be the ones that dominate this new paradigm.