In cybersecurity, we love a good buzzword. But even more than that, we love a good buzzword that just makes sense. Zero Trust, while an excellent security architecture, is a term that some security leaders take issue with: They don't want to imply that they don't trust their users — they just want to put all their users on an equal playing field that validates that they are who they say they are.
Enter "Data-Centric Security," a powerful way of thinking about Zero Trust security that focuses on the most important asset: The data.
Endorsed by the United States Department of Defense (DoD) and utilized by leaders in tech and security, data-centric security is an industry standard that’s going to be even more relevant as perimeters evaporate into the cloud and hackers become more sophisticated than ever.
Learn what data-centric security is, why it’s gained importance in the past decade, how it interacts with Zero Trust, and some of the challenges we’re facing to implement it.
Data-centric security is an approach to cybersecurity that prioritizes control and secure access to the data at a granular level, rather than prioritizing the systems and networks that store and transmit it.
The philosophy behind it is simple: Data is the thing you’re trying to protect. Data is the most valuable asset for individuals and organizations alike. So, instead of building a stronger castle and a wider moat while leaving the data inside inherently vulnerable, focus on protecting the data first so it’s still safe regardless of the strength of security measures like firewalls and other intrusion detection systems.
Data-centric security strategy aims to ensure that only authorized individuals can access sensitive information, and that the confidentiality, integrity, and availability of that data is preserved.
With data-centric security and Zero Trust, it's not either/or. They’re intrinsically connected.
Nearly all iterations of a Zero Trust security model emphasize protecting data, whether it’s keeping it organized or ensuring it stays in the right hands. The DoD declares Zero Trust to be comprised of seven pillars: users, devices, applications & workloads, network & environment, automation & orchestration, visibility & analytics, and data.
According to the DoD Zero Trust Strategy Report, “All capabilities within the Pillars must work together in an integrated fashion to secure effectively the Data Pillar, which is central to the model.” Data-centric security isn’t just a piece of Zero Trust, it’s the pinnacle.
There are a lot of interpretations of what makes up a data-centric security framework, but they all center around securing the organization, governance, and access to data on an individual or object level. Here are six of the most important tenets of data-centric security.
Encryption is used to protect data from unauthorized access and ensure that only authorized individuals can read and understand it. Data encryption can be done both while the data is being stored in one place (at rest) or while it’s traveling (in transit).
Access controls are put in place to ensure that only authorized individuals have access to sensitive information. Access controls can be verified through various authentication and authorization methods like passwords, multi-factor authentication, role-based access controls, attribute-based access controls, and more.
Within the context of security, data classification is organizing and tagging data based on shared attributes, like level of sensitivity or project scope, and applying appropriate levels of access and protection for each piece of data.
Data governance is ensuring that data within an organization remains high-quality, accurate, and trusted. This is done by setting standards on how data within an organization is handled, accessed, and managed. The ultimate goal of data governance is to increase trust and traceability in an organization’s data, so that it can be used to inform business decisions.
Data Loss Prevention (DLP) is a set of tools and technologies that are used to prevent sensitive data from being lost or stolen, whether done accidentally or maliciously. This could mean using AI to encrypt messages upon detection of sensitive keywords.
Data monitoring and auditing systems are used to detect and respond to any security incidents or breaches. This can include monitoring access to data, location of data, and lifecycle, and more.
There’s been a noticeable shift to data-centric security in the past decade, and there are a lot of reasons for that.
Data-centric security has gained popularity as organizations have begun to recognize the limitations of traditional perimeter-based security measures. The idea of protecting data at the object level, rather than just securing the systems and networks that store and transmit it, has been around for some time, but it has become more prevalent in the last decade or so.
One of the key drivers of the shift to data-centric security has been the increasing number of data breaches and cyber attacks that target data itself. As hackers have become more sophisticated in their methods, organizations have had to adapt their security strategies to better protect sensitive information.
Additionally, the rise of cloud computing, remote working, and the Internet of Things (IoT) have also contributed to the shift to a data-centric approach. As more and more data is stored in the cloud and shared across different systems and devices, it becomes increasingly difficult to secure data at the network or system level.
Finding where sensitive data is located can be difficult in large and complex organizations. Sifting through systems or devices can be nearly impossible, along with searching for sensitive data in both structured and unstructured environments.
Encrypting data can become complex, especially when you factor in the protection and security of your encryption keys. It's important that your encryption tools and partners are easy to work with, so that users don't circumvent security protocols when working with sensitive information.
Organizations must ensure that only authorized individuals can access sensitive data, while also ensuring that legitimate users can access the data they need to do their jobs. Data-centric security requires granular access controls, which without the right tools can be difficult to maintain.
Data governance is complex to implement, and even more complex to maintain. Ensuring that data is managed, used, protected and deleted in compliance with legal, regulatory and organizational requirements requires a lot of expertise, security teams, and automation–along with maintaining data quality, lineage and auditability.
Integrating data-centric security measures into existing systems and processes can be complicated, especially when different systems use different security protocols and technologies. You'll want to select tools and vendors that play well across the applications your team uses every day, so as not to disrupt existing workflows.
Data-centric security architecture isn’t a specific roadmap, it’s a data protection strategy, of which the methods of executing will need to change and adapt with the evolving landscape of threats. This requires a subset of effort all on its own — and the people, processes, budget, and expertise to pull it off.
With Virtru as your partner, it's easier than you might think to embrace data-centric security controls for collaboration workflows including email, files, and SaaS service clouds like Zendesk and Salesforce — and incorporate DLP protections, too. See how easy it can be with a Virtru demo.