How to Build a Data-Centric Security Approach

The importance of a comprehensive IT security solution cannot be overstated in today's environment. Both the number and scale of data breaches continue to grow and businesses are under greater pressure than ever to keep up with criminals' ever-evolving tactics.

While some attacks are merely aimed at causing disruption, Verizon notes that the vast majority (86%) are financially-motivated. This means more often than not, hackers will be aiming at your most precious resource - your data.

What is data-centric security?

As a result, a new approach to cyber security is likely to be required by many firms - one that puts the safety of your data itself at the heart of everything you do. This compares with more traditional forms of defense, which are typically focused on network, server or application security.

While these approaches may be useful in protecting your perimeter and reducing the chances of intrusions, a more data-centric strategy looks to prioritize the protection of your most valuable and sensitive assets from all threats. This includes both accidental and malicious exposures, whether they originate from outside the company or from your own employees.

The need for a data-centric security strategy

This is vital as it's increasingly clear by the number of records compromised that traditional approaches to security are failing to protect data. According to figures from Risk Based Security, more than 36 billion records were exposed by hackers in the first three quarters of 2020.

This was despite a significant drop in the number of total breaches reported in Q3 and makes 2020 the worst year ever for compromised data, with more than double the number of records lost compared with 2019.

What's more, with tough new regulatory regimes such as the EU's GDPR and the California Consumer Privacy Act (CCPA) placing a top priority on how organizations handle and protect personal data, the costs of failure can be high. For example, a recent fine of £18.4 million ($24.2 million) in the UK against hotel chain Marriott for a breach that impacted millions of customers highlighted how expensive failures to protect your data can be.

5 steps needed for effective data-centric security

There are a range of steps businesses need to take if they’re to build a data-centric security solution. This approach requires firms to focus their efforts across every level of their network, not merely concentrating on perimeter defences.

A data-driven security policy should operate on a 'zero trust' basis, where every interaction with sensitive materials is verified and recorded. This ensures that firms aren’t only protected against external threats such as hackers, but also against user errors or malicious insiders who may be able to bypass traditional security measures.

Here are a few crucial elements of an effective data-centric security solution.

1. Complete visibility

You can't protect what you can't see, which is why the first step of any effective data-centric security solution must be to conduct a full audit of every location where data may be stored, whether this is within the business network itself or with third parties, such as cloud services or employees' personal devices.

These discovery activities are likely to throw up a few surprises, as the chances are you've got data in places you didn't even know existed. Internet of Things devices, for example, can generate huge amounts of potentially sensitive data that never make it to central servers, while if employees are accessing business applications through personal smartphones, this data is at especially high risk of falling victim to loss or theft.

2. Accurate classification

Not all data is created equal, however, and if you try to apply the same level of advanced defences to every bit of information within your business, you'll quickly find this overwhelming. Therefore, it's vital that you're able to take the information gained during your data discovery phase and classify it depending on its potential risk.

This will determine where your data should be stored and how it can be accessed. However, there will always be a fine line to tread here between accessibility and security. For instance, siloing the most mission-critical data in highly-encrypted databases with tough multi-factor authentication is the safest option, but if this interferes with productivity too much by making it hard to integrate with other applications, it could cause the businesses more harm.

3. Strong access management

Once you’ve determined what level of protection each piece of data needs, the next step is to enact strong access controls. For the most important pieces of data, this must include two-factor authentication at a minimum and have full monitoring and recording capabilities, so security pros can be alerted instantly should any suspicious activity be spotted such as the copying of key files.

When protecting data from unwanted eyes, it's also important not to overlook physical security. The best encryption and authentication won't help if you leave the door to the server room unlocked, or someone is viewing highly sensitive data in a public place where anyone can see it over an employee's shoulder - which can be more of a risk than you might think.

4. Theft and loss protection

While in an ideal world, a data loss prevention strategy would ensure no information leaves the protection of the network, 100% protection is impossible to achieve, so there must be contingencies in place to ensure that any data that’s compromised is still secure.

This begins with tough encryption, both when data is in transit and at rest. Meanwhile, the use of data masking wherever possible can protect a business against the risk of personally identifiable information being compromised. This is especially important under regulatory regimes that can impose heavy penalties for the loss of this type of data.

Finally, using tools such as mobile device management software that can automatically wipe a laptop, tablet or smartphone of data if it’s physically lost or stolen is also an essential part of your data protection plan.

5. Effective governance

As well as technical solutions, an essential component of a data-centric approach to security must be a strong governance and compliance solution. This begins with having personnel who can take ownership of all a firm's information. Under GDPR, companies are required to have a data controller to oversee all aspects of their data processing.

This area should also set out clear policies for data retention, archiving and backups to ensure you aren't hoarding unnecessary data or are left vulnerable to issues such as hardware failure or ransomware.

With these key steps in mind, you can ensure that no matter how big your big data gets, you're aren't putting the information or your businesses at risk.