In my previous post, I wrote about the futility of constantly protecting against the most recent breach rather than focusing on protecting the data itself. I want to expand on why I think focusing on the data is a much more effective way to defend against outsider attacks.

In the vast majority of cases, an adversary is attacking a target in an effort to steal data. The type of data varies depending on the goals of the attacker (e.g. financial information, consumer data, competitive designs, or source code), but in all cases their end goal is stealing the data. An effective, sustainable defense against these attacks has three core requirements that are centered on applying protection directly to the data:

1. Identify sensitive data continuously. It is obviously hard to protect data if you don’t know where it is at all times. Generating a point-in-time inventory of data is a first step, but doesn’t account for data that is created or modified after the inventory, or the movement of data over time. To protect data, an organization must consistently and continuously identify and classify data as it is created or modified.
2. Monitor sensitive data continuously. Data isn’t static. Employees, customers, and partners use and modify it, as do business applications. Protecting a data store is good, but critical data also exists on laptops and mobile devices, or in email to users inside or outside the enterprise. Knowing where the data “used to be” doesn’t help. It must be tracked throughout its life (and maintain appropriate classification).
3. Protect sensitive data use contextually. Protecting data doesn’t mean simply locking it down. It requires a contextual understanding of three factors: what actions may be taken with the data; by whom; and, under what circumstances. Certain actions may be permissible on the corporate network, but not off the network. Privileged users need to configure devices but should prohibited from viewing specific files on those devices. (This is context aware security.)

Reacting to previous breaches can obviously plug holes in an organization’s defenses, but it’s not a sustainable strategy. By applying protection directly to data, organizations gain continuous visibility to data creation and use. If you know where your data is, at all times, policies controlling its use (and blocking misuse) are simpler to implement. In short, data-centric security protects sensitive information without having to guess the next attack vector.