A few weeks ago at the Gartner Security and Risk Management Summit I couldn’t help but notice the frequency of the theme – data-centric security. Although not a new term, there seems to be an uptick in interest with the data security layer. Why is that? Because today there is more data and it’s being shared everywhere. It can no longer be contained in the confines of a company’s infrastructure. Think about it, how many old hard drives, thumb drives, CDs do employees have stuffed in desk drawers? Or what about the plethora of Box, DropBox, Google Drive services employees and outsource partners are using? Now imagine the impact on an Enterprise as your employees want ‘doing business’ to be agile; they want to work with any device, from any location, and with numerous external partners. Information resides everywhere, and there lots of it AND it often contains company sensitive data.
So what is data-centric security and how do you build an adaptive security architecture for data protection? Here are the recommendations shared at the Gartner event:
protection? Here are the recommendations shared at the Gartner event:
Three Basic Principles to Building a Data-Centric Security
Data-centric security involves applying controls at the data layer, independent of device, application and network layers. At the conference, Gartner offered three basic principles to implement a data-centric security architecture. You need at least two, if not all three of these principles listed below for it to be a data-centric. The principles consist of:
- Persistence: Policies need to be persistently applied wherever the data goes
If data is protected, it needs to be protected across all environments, wherever the data resides. This means that if the file is protected in SharePoint but is uploaded to Box, the security policies still need to be in attached to the file.
- Consistency: Controls need to be applied consistently between systems
Access and usage controls are applied consistently across implementation. When one systems hands over a file to another system, the policies need to be the same and coordinated.
- Completeness: Controls need to apply to all types of data
This can be challenging to achieve as we use all types of file formats that need protection. Without protecting all file types, not all sensitive files can be secured. Another element we would add to this is the notion of granularity: can you control file usage down to the actions that a recipient can take on a file.
So how do you get persistence, consistency and completeness? Gartner talked about the need for an Enterprise Digital Rights Management solution. An advanced EDRM can encompass all three of these principles. First, EDRM ensures that files are persistently protected wherever they travel and that you can control actions to a granular level. With some EDRM solutions, you can map to security policies in another systems such as DLP, EFSS, CASB, ECM, and ERP, also called policy federation. With policy federation, usage controls and policies are automatically applied when the file is downloaded, discovered or shared from the source system, and will remain intact while a file is at-rest, at-work and in-transit. The automation of applying policies, makes the data-centric security transparent to the users’ processes and makes adoption of EDRM faster. Not only are the policies “consistent” between systems, they remain with the file no matter where it travels or is stored.
The EDRM must also support all file types. A strong EDRM solution will support all the most common file types, as well as offer some degree of protection on less commonly used file formats. Finally, an EDRM solution will track and audit file usage, both authorized actions and unauthorized attempts, to help identify any attempted misuse of files and by whom.
Building an Adaptive Security Architecture for Data Protection
When building a comprehensive data-centric architecture requires an adaptive security process, Gartner recommends the following approach:
Where is my data (at-rest, in-transit and in-use) and how is it being used? Using Data Loss Prevention solutions usually tackles this challenge.
How sensitive is my data? A classification tool to tag and manage sensitive data will help here but if you know all your data is sensitive in a particular system say SharePoint, then you can skip this.
How can I protect my data? This involves an Enterprise Digital Rights Management solutions that provides persistent, granular, usage controls of the sensitive data.
Who is using my data and are they authorized. The combination of SIEM and EDRM solutions will enable you to monitor who is accessed data, what they are doing with that data, from where and when.
The key to making the architecture adaptive is the continuous monitoring and analytics of how people are using the data. If employees are sharing new types of sensitive data or attempting to access information in a way they shouldn’t be, such as a home IP addresses or in an unauthorized geography, you need to adapt new access controls, classifications or discovery of information in new locations.
Finding a Solution that puts it All Together
Seclore provides an EDRM solution that not only has persistent, granular usage controls to protect information wherever it travels and is used, but also has seamless connectivity to integrate with the various systems needed to discover, classify, detect and monitor data in an adaptive security architecture. The seamless connectivity with other systems provides automated attachment of usage controls to sensitive documents, key to rapid adoption of data-centric security.
Collaborating internally and externally brings both efficiencies and risk. It is no wonder that data-centric security is being talked about more. Protecting the perimeter to keep data safe is no longer effective when data is freely flowing across and outside the organization’s borders. Constructing an adaptive security architecture will ensure you have the right set of protocols in place to protect and control your organization’s most critical asset: sensitive data in the new era of open collaboration.