Three steps to data-centric security: Discovery, protection, and control

Sponsored It's 2020 and the enemy isn't at the gate anymore. It's in your network, probing your switches and servers. That makes the gate irrelevant. So what do you do now?

People began predicting the death of the network perimeter as early as 2004. A working group of CIOs known as the Jericho Forum addressed the idea at Black Hat that year. The idea it presented was simple, but seminal: the ring of iron surrounding the average corporate network is obsolete. The old binary distinctions that defined security - staff or not staff, trusted or not trusted, in or out - no longer applied. We were now in the age of the web, where people and network traffic regularly transcended that corporate boundary.

A Jericho without walls

Jericho called this trend deperimeterisation, and it proposed four stages to deal with it. First, move non-corporate systems outside the perimeter, shrinking what it contains. Second, remove the hardened perimeter and focus instead on pervasive authenticated access. Third, remove the perimeter altogether and replace it with connection-level authentication and data-level encryption.

The final step was the clincher, and it set up a generational shift in cybersecurity: adopt data-level authentication. It meant tying access privileges to the data rather than to the hardware it sat on. This, after all, is what is really important to a company. When regulators fine an organisation for losing a hard drive, it's the data rather than the spinning rust that they're upset about.

Jericho's idea might have seemed radical at the time, but 15 years ago no one was defending the idea of a perimeter. Phishing, drive-by downloads, and guest Wi-Fi access put paid to that idea . As the volume and scope of traffic entering and leaving company systems increased, it became clear that rigid protections like firewalls wouldn't be enough, no matter how smart they were.

In March 2020 the pandemic smashed the idea of the perimeter once and for all. Overnight, Europe went to working from home. Any companies still tying security to specific devices found themselves in real trouble. Employees accessed corporate systems via untrusted home connections, often from mobile devices that their business networks had never seen.

While switching to a data-centric security model makes sense in theory, it brings practical challenges. For one thing, the nature of data itself is evolving rapidly. We grapple far more today with semi-structured and unstructured data than we did 15 years ago.

Data has also become more distributed than ever before. It not only lives in different systems, but much more of it now lives permanently offsite, along with the applications that run it. When Jericho first presented, AWS was just launching and Azure was years away. Now, cloud applications are a way of life.

This all creates an overarching problem that stands in the way of data-centric security: complexity. It's the top thing keeping cybersecurity pros up at night. When Thales asked 509 executives about the biggest barriers to data security for the European version of its 2020 Data Threat Report, four in ten of them cited complexity. The other most common problems were tied to that complexity. It affected business processes, and companies lacked qualified staff to manage data security. A lack of budget made it difficult to source the additional expertise they needed to unravel data-centric security issues.

Discover

Thales has argued for a three-point strategy to tackle that complexity and get companies securing their data rather than their perimeters. The first is discovery. You can't protect sensitive data if you don't know it exists, let alone where it is and what type it is. That means scanning for data that's already in your organisation, scouring servers and storage both on your premises and in cloud environments. If you haven't instigated clear cloud service policies, it might also entail auditing for shadow IT to track down data that has leaked into unauthorised accounts.

Scanning for existing data is a difficult job without the proper tools, but it's only the beginning. You must also classify the new data you create. This is something you can tackle with automated policies that tag files based on who created them and when. Software can also look for specific content and classify it accordingly using taxonomies that make sense for your compliance needs. You might stick to 'low-risk/regulated/highly sensitive', or opt for classification relating to a particular compliance framework like employee data, PCI DSS or GDPR. After discovery and classification, you should conduct a risk analysis on what's exposed. Use this to prioritise your remediation efforts, securing the most important data.

Protect

The second step to data security is protection. How can companies ensure that their sensitive data is safe from unauthorised access? Various approaches to locking down technology address different layers of the technology stack, covering applications, databases, files, and disk storage.

One approach is tokenisation. In this scenario, which is ideal for databases, sensitive data such as a field in a record is replaced with a token. The application accessing the record can use the token to retrieve the real data from a different location.

Cloud storage has ushered in tokenisation as a popular data protection mechanism. It's ideal for storing data in a publicly available environment such as a cloud application while keeping sensitive data safe in an on-premises environment under your direct physical control. Another more traditional approach is encryption. Microsoft introduced Transparent Data Encryption (TDE) in SQL Server 2008 to encrypt data across entire databases rather than at the cell level. Oracle and IBM also use it. Outside the database, there are multiple approaches (file, folder, and full-disk encryption), using a panoply of encryption mechanisms. Then, cloud service providers offer clients the chance to encrypt data in the cloud, whether they're operating in an IaaS, PaaS, or SaaS environment. Then there are third party encryption providers, such as Thales amongst others, that bring consistent techniques and key management across all your organisations different file and storage types.

Control

Protecting the data is akin to padlocking the area where you store it. That alone won't help secure data without an additional pillar of data-centric security: control. Knowing who is authorised to have the padlock key and keeping logs of its use.

The key to the padlock in this case is the digital encryption key. They must be able to see and control access to the data and even control which applications or computer processes are allowed to access different data sets. This limits malware and ransomware from getting ahold of the data.

This governance task becomes more complex as companies employ more encryption keys across different use cases. Cloud environments now typically offer clients the chance to control their own encryption keys in a bring-your-own-key arrangement. On-premises systems naturally require companies to manage their own keys across a range of environments, including application and web servers, virtual machines, file servers, and storage devices. Each of these environments multiplies the number of keys in play and the number of vendors and systems that they unlock.

The more complex a company's encryption key management and tokenisation landscape becomes, the more operational hurdles administrators face as they juggle all these assets, each with their own risk profiles and access policies.

Get that management wrong, and the results can be disastrous. Companies that can't manage, monitor and protect their keys can lose control and allow them to fall into the wrong hands, rendering customer data vulnerable. They could put their compliance at risk, leaving themselves vulnerable to audit failure and regulatory fines.

Supporting the three pillars

How can companies tackle these three aspects of a data-centric cybersecurity policy? Discovery, protection, and control are intrinsically linked. They transcend the data lifecycle. Companies can't afford any silos or blind spots in that governance process. That means you either need a seamless way of binding together point solutions from multiple vendors, perhaps with a middleware layer, or you need to do it from a central single-vendor hub that covers all three tasks. Whichever approach you choose, it must handle the full range of data types and locations, spanning structured and unstructured, but also on-premises and cloud. It has to support a range of encryption approaches from different vendors at varying levels of the tech stack. That calls for a broad set of product and service integrations.

A data-centric cybersecurity solution must also support the separation of duties between different stakeholders. For example, software developers are concerned with the protection pillar. They need a way to easily integrate encryption or tokenisation into their applications without trying to roll their own libraries. However, you don't want them making the kinds of policy decisions that sit firmly in the control tier. That's the realm of administrators, along with privacy and compliance officers. Your data security solution must support those organisational divisions, along with a range of technical ones.

Thales tackled this problem when it launched its CipherTrust Data Security Platform in September. It’s an all-in-one platform that binds together these discover, protect, and control pillars, offering a way to find data in the organization and then protect it using a variety of encryption techniques at the file, database, and application level, along with tokenisation support. It also includes a centralized encryption key management system and interfaces with public cloud providers to handle the encryption keys that access enterprise data on their services.

You'll need more than a robust technical solution when redesigning your cybersecurity approach around your data: you'll need a rock-solid organisational structure too. Data touches all the stakeholders in your company, meaning that everyone needs to have input, from sysadmins and software development through to legal. Departmental management should be represented too. Look forward to many meetings as you address the many facets of a complex multi-disciplinary problem. But when you're done, you'll be a stronger, more secure company than you were before. If you’re interested to find out more, this Thales paper might be worth a read.

Sponsored by Thales.