What is Data-centric Security?

The Data-centric Security Model – A New Approach to Information Security

Data breaches have become the norm in the last few years, signaling it’s time for existing security systems to evolve. Data-centric security solutions shift the approach from a company’s outer defenses to making the data itself more secure.

Data security is an essential responsibility for any organization. It’s not uncommon for companies to spend large amounts of money securing their perimeter against various external threats to their systems and data, such as hacking, malware and ransomware. However, not all data threats originate from outsiders.

Increasingly, data breaches and security incidents are caused by the accidental sharing or mishandling of sensitive information by an employee or contractor or the deliberate theft of data by a malicious insider for personal gain. Known collectively as insider threats, no organization is immune to this type of data loss.

Why? Quite simply, most traditional security methods and approaches are not designed to protect against data breaches and incidents that originate from your trusted users or are designed to detect them after the fact. Employees, contractors, and partners now have far more access than ever to a company’s data from different devices, geographical locations, and applications so a proactive approach is critical.

Why are existing data security methods no longer effective?

A strong perimeter and traditional access control are useless if the security threat comes from a trusted user with legitimate access to systems and data.

Many traditional security measures are not designed to address business collaboration tools and trusted users, leaving these safeguards ineffective against insider threats for a number of reasons:

1. Your employees are meant to have access to data. Traditional systems are not designed to control what a user does with that data once they have access to it. Behavior analysis and threat detection tools used to fill this gap can only spot a problem after it’s already happened. They can’t proactively stop it from happening in the first place. This is why insider incidents can take months to detect. According to the 2021 Cost of a Data Breach Report malicious insider breaches on average take 306 days to identify and contain – long after the damage has been done.
2. Data is constantly in motion and accessible from just about anywhere. A file can be accessed from the organization’s internal network using a work PC in the office or from a home office, or somewhere else entirely, like a coffee shop or airport. That same file could even be accessed using a personal device like a smart phone or iPad, in some cases.
3. The sheer number of applications being used to collaborate on, and share data pose a risk. To better control data loss and misuse, you also need to be able to control usage and sharing of files, not just access. For example, the sensitivity of the document can change dynamically as users collaborate on it, they can copy sensitive or proprietary information from it, download it, or share it with another person inside or outside of an organization via email, chat tools or cloud sharing apps. These interactions are impossible to control with the traditional security tools that were popular just a few years ago.

The classic data security approach is simply no longer effective with the multitude of collaboration channels and access points available in the modern era.

What is Data-centric Security?

While the major data breaches make the front page news, it’s important to remember that more minor security incidents happen all the time and don’t necessarily need to be reported. For example, consumer data breaches must be reported according to applicable regulations, but intellectual property theft does not. Data breaches, large or small, are a massive headache for many industries – especially since the number of security breaches seems to be increasing drastically year-to-year, with no signs of stopping any time soon.

Now is the time for a new approach to data security as a whole. Most existing methods and techniques attempt to secure a container that holds the sensitive data – be it servers, networks, applications, etc. However, this kind of approach is also the reason for limited control over the data once it’s in motion and being used in a collaborative effort. Once data is in motion or in use, it becomes extremely difficult to control access to it, let alone what users do with it and who they share it with.

A more modern, data-centric security (DCS) approach is designed to address these specific issues. This approach focuses on securing the data itself – not its container or storage location – when it’s at rest or in motion.

DCS has been recognized by leading government and multicoalition organizations as an essential security strategy to protect highly sensitive information. NATO has adopted DCS as a core strategy to provide secure information sharing and ensure efficient data protection. Both NATO STANAG 4774 and 4778 outline confidentiality labels and metadata that must be included to properly classify information as part of a more secure, data-centric approach. The National Institute of Standards and Technology (NIST) has also recommended a DCS approach, including a paper on Data Classification Practices: Facilitating Data-Centric Security Management to establish best practices.

How can organizations effectively implement a data-centric security model?

There are 5 essential elements of a data-centric security approach:

1. Identify – First, you must identify what types of data you have and categorize/classify them accordingly.
2. Understand – You must determine how the different types of data are stored, used and shared.
3. Control – Establish policies and controls around who should have access to different types of data and under what conditions.
4. Protect – Implement mechanisms to prevent unauthorised access, usage and sharing.
5. Audit – You must also track how data is used, who uses it and for what purpose for compliance and auditing requirements.

What specific technologies are available to support a data-centric security approach?

To implement the steps above and protect against data loss, a data-centric security architecture will require the critical capabilities and controls outlined below.

Data classification

Since the cornerstone of a data-centric security framework is data – the ability to identify regular data vs. sensitive or valuable information (regulated data, IP, company confidential, financials, HR, etc.) is an essential first step. Clear identification and classification of the types of data in your organization and its sensitivity is important to ensure that the right access and security controls can be applied to the data. These classifications will vary by organization as they are dependent on internal governance policies and any applicable regulations (e.g., regional privacy acts, classified military data regulations, etc.).

Data Tagging

Marking or tagging is a logical continuation of the data classification process. The primary purpose of data tagging is to assign a specific label (attribute/metadata) to that specific document to allow other tools to leverage this information to apply additional security controls. For example, tagging can be used to mark information that is subject to internal governance policies or data regulations, such as GDPR, PCI DSS, NIST, CMMC, DFARS, etc.

Data Discovery

Data classification is a great system for distinguishing sensitive data from less sensitive data, However, it only works if your company is aware of where your sensitive information is located in the first place. This is where data discovery tools come in. Data discovery tools are the engine room that combines the discovery and classification process by scanning your data repositories to automatically identify sensitive data at scale and simultaneously classify/tag it.

Attribute-based Access Control

Classification and tagging are the baseline elements used in implementing a data-centric strategy. By overlaying an attribute-based access control (ABAC) element, any attribute or characteristic of the data, user or environment can be used to control access to data and assign appropriate protection based on the context of the request and at that specific time the access was requested. Because the ABAC methodology is dynamic, it automatically adjusts access rights and protection controls in real time to accommodate the context of scenarios. For example, different access and protections can be applied to users trying to access the same document from home (read-only access) or from the office (full access).

At Rest and In Motion Protection

Data is no longer just at rest; it passes between systems, applications, devices, and users. Traditional data security methods often only address data at rest and are not meant to protect it in motion (as data travels between systems, users, and devices) or in use (as data is accessed, edited, processed, and viewed). A modern data-centric strategy needs to address data in all of these states to protect against loss and misuse by applying the controls directly to the data so these same protections are valid within the confines of the corporate network or outside of it. Encryption, geographic access restrictions, read-only access, etc., are a few of the controls that can be used to protect data as it travels.

Encryption

Encryption’s primary purpose is to control data access for compliance or security reasons. It renders data unreadable if you don’t have the correct level of access. It’s not uncommon for encryption to have multiple layers: databases, files, hardware, etc. These are all good precautions, but ensuring the data is encrypted is critical to a data-centric strategy. This ensures that only the intended recipient or user can unencrypt the file for viewing, reducing backdoor access to files from administrators and other unwanted viewers.

Digital Watermarks

Digital watermarks are used to embed information into a document for security purposes. They can be used to identify ownership and confidentiality and track the chain of custody. They are helpful in proactively reminding users that the content they are handling is confidential and also protect against improper use. They help deter the photographing of sensitive content and aid in tracking the source of a leak by embedding user information into the document that cannot be removed.

Redaction

The ability to remove or mask sensitive information in a document is also an important component of data-centric controls for legal or security purposes. Widely used in government and military documents, it also has enterprise applications for IP protection and internal data barriers. For example, you may need to remove someone’s social security number from a resume that is circulating amongst the hiring team for privacy compliance.

Data Loss Prevention

Data loss prevention (DLP) enforces various security policies to protect data. It works with both data at rest and in motion, and it can act as a centralized framework that can be used to track data usage and locate unauthorized data sharing. DLP is capable of protecting against both accidental and malicious data loss, and it can leverage data classification to assign appropriate protections.

Zero Trust Access

Zero trust has become the buzzword in security, and for good reason. It has proven an effective framework to ensure users are authenticated and continuously validated to gain access to networks and applications. Extending this methodology to data access has clear advantages for ensuring only authorized users can access data under the right conditions to prevent suspicious access and misuse – by sheer nature of challenging every access request.

Data governance and analytics

Governance is an important part of a data-centric strategy. It sets the foundation for a successful implementation by clearly defining the policies and standards your organisation must adhere to from a regulatory and business standpoint. Without clear governance policies, it’s difficult to understand the controls needed to protect and classify your data. You also need a mechanism to understand, monitor and measure efforts and adherence to those policies, which is where analytics come into play. Depending on the regulation, you may also need auditing capabilities to document adherence and track the chain of custody of sensitive information.

Conclusion

The more controls you build into your overall data-centric security strategy, the better your real-time protection will be. All of these mechanisms play an important role in preventing cyberattacks. However, data-centric security is highly effective at protecting your most critical asset – your data – from both inside and outside threats.

archTIS offers data-centric security solutions to meet your business needs. NC Protect is an add-on that enhances security in Microsoft 365 applications with dynamic ABAC policies to control access and apply protection. Kojensi is a multi-level security platform for collaboration and file sharing that is built specifically for governments, defence industry, and the intelligence field. Both of these solutions are built upon the idea of zero trust data-centric security with attribute-based access control.

Read our whitepaper on Zero Trust A Data-Centric Strategy for Success. This white paper examines the new information security paradigm of zero trust and how to ensure it extends beyond the perimeter and applications to more effectively protect what is most at risk – data.