4 critical elements of a data-centric cybersecurity program
Desperate to defend themselves against the growing ranks of hackers and data thieves around the world, businesses will spend more than $90 billion on cybersecurity this year. Unfortunately, much of that money will be wasted on outdated strategies in pursuit of an unreachable goal.
Network protection—the mainstay of IT security for decades—is no longer a strategy for success. Firewall vendors and IT administrators simply cannot keep up with the constantly-evolving tactics developed by criminals, industrial spies, and hostile nations. Experience has shown that if an organization’s data is valuable enough, someone will always find a way to steal it.
An approach focused on the actual goal of IT security—protecting sensitive information—may eventually turn the tide against cyber threats. Organizations in every industry have begun to see that accepting defeat in the fight for network protection is the first step in winning the long-term battle for information security.
Network security is a losing proposition because the numbers are all on the hackers’ side. Once a hacker develops an effective attack, he or she can unleash it against hundreds, even thousands, of organizations with almost no additional effort or expense.
Hijacked computers and other stolen assets are doing all the work, so turning up the volume can only increase the chances of success. The companies on the receiving end of these attacks, on the other hand, must spend more and more money each year in a hopeless effort to keep pace with the hundreds of adversaries trying to steal their data.
Even if an organization could implement a perfect firewall, one so sophisticated that no hacker could penetrate it, the company would have solved fewer than half of its cybersecurity problems. Sensitive data would continue to flow out of the network and into the hands of competitors, hackers, and spies, thanks to employees who—intentionally or not—compromise the company’s security. Insider threats, by some accounts, are now to blame for more than 60 percent of all data breaches, and no amount of perimeter security or device protection can stop the bleeding.
Faced with these uncomfortable truths, businesses and government entities are beginning to adopt a new philosophy when it comes to information security. Data theft, in this new worldview, is an inevitable event, rather than a risk to be avoided at all costs. It is key to prepare for a breach in advance, so the sky does not come crashing down once the bad guys find their way inside.
Neutralizing the Threat
We’ll never know how many security breaches follow this pattern, though the number certainly gets bigger every day. A hacker—using a new technology, an application vulnerability, or a set of credentials gained through social engineering—breaks into a company’s internal network. After a week or two of scanning directories and file paths, the hacker spends another few days downloading gigabytes of highly sensitive information. Once the theft is complete, the hacker examines the stolen data and then…does absolutely nothing, because the data is encrypted and therefore useless to anyone without the decryption key.
That’s the promise of data-centric security: that consumer data, intellectual property, and other sensitive information can be managed and protected so that it remains secure even when it is lost, stolen, or shared inappropriately.
When companies shift their focus from perimeter defenses and put their efforts into protecting data itself, they position themselves for long-term security. When implemented properly, data protection is almost impossible to defeat, no matter how much computing power the attacker throws its way. Data-centric protection eases the burden of compliance with new cybersecurity regulations like the GDPR and the UK’s recently-updated Data Protection Bill.
Auditing and Planning
When a company wants to get serious about protecting its data, it needs to begin by assessing all the data types that are in use today, and determining which types will require protection tomorrow.
This is one of the biggest obstacles to data-centric security, because many organizations lack a clear understanding of their data. Database managers might know exactly what types of information are under their control, but the picture tends to get blurry once data moves out of the structured environment of an enterprise database. That’s a problem, because most of the data in any organization is stored in the files—documents, images, email messages, and so on—that employees create and use on their laptops or other devices.
A data-centric security strategy needs to address all forms of sensitive data, wherever they live, to be successful.
Discovery and Classification
Having determined which types of data require protection, an organization can begin to implement the technologies that will do the work.
The process typically starts with a combination of classification, in which files are tagged to indicate what types of data they contain, and discovery, which involves scanning files to determine whether they contain sensitive information. Discovery is an automated process, whilst classification can be performed manually by employees or automatically by a software agent. However the tasks are handled, the purpose is to create and maintain a real-time inventory of all sensitive data throughout the organization.
Identifying sensitive data is only part of the challenge. The next and most crucial step is to apply a form of protection that keeps the data out of the wrong hands, while still allowing for proper use by employees and business partners.
Strong encryption is the most effective form of data protection, and one that is essentially impossible to defeat when implemented properly. This explains why encryption is so politically controversial—even the world’s most powerful supercomputer would require billions of years to complete a brute-force attack on a standard 256-bit encryption key. Law enforcement agencies may have their own opinions about it, but the fact is that when hackers encounter strong encryption, they give up the fight and move on in search of easier targets.
No matter how well-designed a cybersecurity program may be, it can’t do its job unless employees understand the importance of data protection and know exactly what they’re expected to do with the sensitive information they handle.
Usability is a critical concern. When a company’s cybersecurity tools are slow, cumbersome, or confusing, employees will find ways to circumvent them. This means either letting sensitive data go unprotected, or using a non-sanctioned tool the employee happens to feel more comfortable with, which can cause just as many problems.
Leave No Data Behind
Just as hackers will find and exploit the vulnerabilities of a network firewall, they will take advantage of any weak point in a company’s data protection. To work, data-centric security needs to extend across the entire enterprise, and throughout the entire data lifecycle.
Solutions that only protect certain forms of data, work on a few operating systems, or protect data in certain situations, create gaps in security. And when a gap exists, it’s only a matter of time before hackers, spies, or bumbling employees find their way through it.