In days gone by we would look at securing individual systems - the server in your office, or the network, and then managing endpoints through firewalls and anti-virus software. Everyone sitting together in the same office meant this was the right approach, but as soon as you put your data in the cloud, things change. If you are not securing the data itself, then that data will inherit the security level of wherever it travels to, not where it originated. If I take data from my secure file server and move it to a cloud service, it does not take the server's security credentials with it, and therein lies the problem. How then can I secure the data properly so that wherever it travels to, it will take security with it?
To quote Forrester Research, “There is fatal ﬂaw in the main assumption underpinning perimeter-based security — the assumption that there is a ‘trusted’ internal network where data is safe and an ‘untrusted’ external network where data is unsafe. This implicit trust assumption is both incredibly naïve and untenable.”
In 2019 we need to keep data secure everywhere, not just within the four walls of the office. A data centric approach to your information security strategy is our recommended way to ensure your data is secure at all times.
The key concepts to a Data Centric Security strategy are as follows:
You cannot protect what you cannot see.
This is usually the biggest issue. You've got 15 years of data stored, terabytes of the stuff, so where do you start? Some organisations opt to run a full discovery audit, whereas some decide to forget their history and start applying a data centric strategy from today, opting to undertake a discovery project at a later date. There is a degree of risk with this, but it’s about managing the project for your organisation right now.
Decide what data to protect and to what level.
The worst thing you can do with data is encrypt it and lock everything down, and have a staff member say, ‘I only want to get a phone number, why do I need a 16-digit pin and a smart card and Face ID’? Classifying allows you to protect your data properly. It’s about looking and categorising the data in terms of level of security you want to attach to it rather than just a blanket high level for everything, halting productivity and leaving your users frustrated.
Let's say you have 10 offices in the UK with 250 servers dual hosted across two sites. Have you any idea what is in there and how are you trying to protect it? You’re trying to protect all of it in the same way and wasting money - this is why these first two parts to the strategy, Discovery and Classification, are critical to getting the rest right, and this is true whether you move to the cloud or are on premise.
Where does your data go?
You have your data, you know it is high risk, so where does it go? You need a solution that will scan your network and show you all the data you hold. This will enable you to move forward into applying the correct security protection for each piece of data.
Manage the privacy and integrity of data.
Once you have the visibility and know what data you have and where it goes, you can encrypt it. Using your classification, you can choose what type of encryption/checksum you want to apply to your data and then decide how to secure it (password, key file, USB device, etc.)
Data Loss Prevention/Data Leakage Prevention
Protection from unauthorised use of authorised access.
Once you have completed classification you can start applying data loss prevention which will flag, warn and block any unauthorised use. Some solutions can see if you are sending out customer information within an email, for example, automatically classifies it as sensitive and flags that it should not be emailed out. You can also lock a document, for example, so it cannot leave the software it was created on, or cannot be saved or printed.
Essentially, if data is classed as confidential, then DLP should stop it leaving the business or only let it go on an encrypted basis.
Digital Rights Management
Control data even when it not on your infrastructure.
When something leaves your organisation, how can you control who has access to it? Think of iTunes or Amazon, they will only let you download a song or film and open it in their apps - you cannot move it around. DRM is a way of saying, ‘I’m still controlling your access even though you’ve taken it away’.
Manage data at a high level level, not a file-by-file basis.
This is how you control access to the data from a higher level, not on a file-by-file basis. Access Control can be groups or network segmentation (i.e. if you are not accessing from inside the office, you cannot get to the HR servers at all.)
Identity and Access Management
Identity and access management is all about defining trust.
This is about managing your users, their access and identity. You want to be able to provide employees or third parties quick access but be able to control, review and deny that access, and be able to add additional authentication should an unusual behaviour take place.
Dealing with end of life data.
Once you have discovered all the data and classified it, one of the issues then in data security is, ‘should I still be holding onto it?’ You may have something that could get you into trouble and legally you don’t need to keep it anymore, so why risk having it? If somebody steals this data, and it has 50 million contact records of personal data in it, that’s 50 million people’s data you have breached. So you can set a time limit for data to destroy. This idea feeds back into the first step of the data Discovery - because once the data has been found, you can see how old it is, when it was last accessed, and automatically archive it to delete it from the system.
Tell me more
Bridgeway can work with you to build your own security strategy using these Data Centric Security concepts. Whether it be a complete overhaul or if you have addressed some of these but not all. What you need to think about is have you considered all of these, have you addressed them and where do you think the gaps are? Or do you want us to do a gap analysis to see where your gaps are?
For more information on Data Centric Security please get in touch via Live Chat or speak to one of our experts on 01223 979 090 or email firstname.lastname@example.org.
You can also register to attend one of our free Cloud & Mobile Security Forums taking place later this year to find out more about how to secure your business in a perimeter-less world.