Three Keys to Turning Data-centric Security Theory into Practice

Most cybersecurity professionals agree that as more organizations move data and applications to cloud-hosted environments, traditional measures focusing on protecting IT infrastructures are not up to the task. In fact, according to Crowd Research Partners, 84 percent of organizations say traditional security solutions don’t work in cloud environments. Even so, the march to the cloud continues. According to one recent 2022 study, 83 percent of organizations surveyed said that they are using either hybrid or multi-cloud environments. An increasing number of them are experiencing security issues. Thales reported that 45 percent of surveyed businesses had experienced a cloud-based data breach or failed audit in the past 12 months, up 5 percent from the previous year. For organizations to close the security gap they face in protecting new on-premises database architectures and cloud-native environments; they must take further measures to address the challenge.

In this post, based on Kuppinger-Cole’s recent paper Why Your Organization Needs Data-centric Security, we’ll discuss the concept of data-centric security. Deceptively simple in theory, data-centric security requires a careful strategic approach to translate into a practical data security fabric that wraps protection around an organization’s entire architecture. There are three pillars that support effective data-centric security; a layered data protection approach, unified data visibility, and automated data analytics. We’ll provide an overview of each pillar and explain how they fit together to ensure you can protect all your data repositories.

1. The layered approach to data protection

The data-centric security journey starts with establishing a layered approach to data collection. Instead of trying to build a single uninterrupted perimeter around all systems that contain sensitive data, multiple physical, technical, and administrative controls must be deployed strategically to ensure that every risk is mitigated by several measures at different locations. In the end, multiple logical layers of protection controls are deployed around the sensitive data, as close to it as possible.

These layers cannot function independently. They must work in concert, with organization-wide security and compliance policies that must be translated into specific rules that discrete systems and applications can understand. To ensure the layers function efficiently at scale, unified visibility and powerful orchestration and automation capabilities must be integrated into the approach.

Bringing machine learning into this approach provides a real-time correlation of security telemetry across different layers and offers intelligent decision support. This, in turn, improves efficiency (dramatically reduced data to process and fewer ‘false positives’) and can support fully automating threat mitigation.

Figure 1 – Layered, data-centric approach to information protection.

2. Unified data visibility

To achieve unified visibility into all data repositories, you must have the tools to simplify, standardize, and automate compliance, data protection, and privacy handling processes. This needs to work across structured, semi-structured, and unstructured data environments, or merge into existing workflows by integrating with tools such as Splunk and ServiceNow.

Unified visibility makes it easy to gain an accurate understanding of where your sensitive data is, whether it is protected, who is accessing the data, and what they are doing with it. You must be able to scale to cover all your sensitive data, structured, semi-structured, and unstructured, on-premises, in hybrid clouds, and across multiple clouds, so you always have full visibility into the scope of your risk and have the ability to respond appropriately.

Unified visibility also enables continuous scanning of your network to identify servers and services that contain sensitive data. Continuous monitoring of changes will identify any new instances or new sensitive data objects. Deploying a classification engine that uses regular expressions will automatically identify many of the data types covered by regulatory mandates such as SOX, HIPAA, PCI DSS, CCPA, and GDPR. You can also customize classification rules for your organization’s own unique data attributes.

For both compliance and security purposes, unified data visibility enables you to observe and document who has access to data, and whether that access is necessary or too permissive. You can also ensure that the individuals who maintain the data repositories and their controls are different from the people who audit data access and activity.

3. Automated data analytics

The last pillar, automated data analytics, leverages the collection, retention, and management of data audit information that’s simply presented in the unified view to automate detection and remediation. It also eliminates the manual labor associated with the consolidation and archiving of log files and other records. Data analytics provides instantaneous live access for audit discovery and security forensics. This, along with automated reporting tools, takes the pain out of compliance reporting and accelerates the entire audit process.

Automated data analytics provides continuous monitoring for proactive breach avoidance and monitors user data repository access to detect policy-violating behaviors, as well as complex and evasive exploit behaviors that cannot be stopped by internal database controls and go undetected by other database security solutions.

Purpose-built analytics engines recognize signs of potential account compromise or malicious insider behavior, enabling security teams to investigate before they turn into compliance violations or data breach incidents.

Data analytics enables rapid response and resolution for any kind of security or compliance problem discovered, providing dashboards and incident reports in clear language that your compliance and security staff can easily understand. You can follow up and resolve incidents using automated workflows, or you can use integration playbooks to export incident details to other ticketing or Security Orchestration Automation and Response (SOAR) systems.

There is more than one way to design and implement a data-centric security architecture that would fulfill the conceptual principles we’ve outlined here, but these are the fundamental pillars needed to create it.

To learn more about creating a data security fabric featuring a data-centric approach, download Kuppinger-Cole’s recent paper Why Your Organization Needs Data-centric Security.