Analysts on Data-Centric Security
The Times They Are a-Changin' – a look back on analysts' evolving views on information security
"As we’ve seen over the past few years, our cyber adversaries want to steal our data; whether it's credit card information, emails, or intellectual property."
– Jon Oltsik, principal analyst, Enterprise Strategy Group (ESG)
For years, industry analysts advised enterprises to build stronger perimeters and watch for attackers. As a result, companies and government agencies spent billions of dollars each year on hardened networks, intrusion detection/prevention, and anti-malware.
Anyone notice a decline in data breaches?
We’re now seeing a change in the analysts’ tunes; a recognition that the focus should be on directly protecting the assets valued by attackers – the data itself. As former @stake CTO Dan Geer stated recently “It’s not about keeping the bad guys out, it’s about keeping the valuable data in."
"(A Zero Trust Approach) fundamentally shifts the focus from the perimeter to the data itself…”
– Forrester Research, The Future of Data Security: A Zero Trust Approach, June 2014
Nobody will endorse eliminating perimeter security. It’s a fact that you are safer if the attackers are outside your network. However, it can’t be the primary defense mechanism. What happens, for example, when attackers steal the credentials of a privileged user? In that case, we must be able to discern the context of data use, not simply who the user purports to be. A data-centric approach provides a defense against the worst-case scenario; a determined attacker with access rights to the most critical data.
To be effective with data-centric security, you have to create visibility so there is an understanding of how information is being used by employees and contractors. You need to know who is using data and whether the proper safeguards are in place to protect that data. It's hard for an organization to have true visibility without the right tools—things like real-time monitoring capabilities or policy workflow management. You need those tools to understand where data is flowing, what kind of controls are in place, or if there's evidence of misuse or data leakage.
– Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute
Data-centric security provides continuous awareness of data classification and location, and allows organizations to enforce appropriate use by individuals and systems. It simply makes sense to focus on the data rather than individuals or networks. It’s good to see the analysts agree.