Warren Buffet warns that cybercrime is “the number one problem with mankind,” and given the high number of data breaches that occurred in 2019, data-centric security should be at the forefront of everybody’s (and every business’) mind.
What is Data-Centric Cybersecurity?
With the increasing amount of highly-sensitive data that companies handle today, data-centric security practices have eclipsed those that came before. But, what is data-centric cybersecurity? Traditional cybersecurity has focused on securing the physical location of the data, such as networks, personal devices, servers, and applications. Data-centric security focuses on protecting the data itself, regardless of whether it is at rest or in motion (eg, being moved from one storage location to another — such as over a network).
Ensuring Data-Centric Cybersecurity
How does an individual or organization shift away from the traditional focus on the physical location of the data to focusing on the data itself? The following ten steps help to make your cybersecurity data-centric.
1. Go Beyond What is Required by Regulations
The Health Insurance Portability and Accountability Act (HIPPA), Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley Act (SOX), and General Data Protection Regulation (GDPR) are all good initiatives. But we recommend treating these as minimums to which you should strive when securing your data. We recognize that defining something so expansive is challenging and can be time-consuming. However, creating an all-encompassing system will save effort in the long-term and allow you to meet changing needs.
2. Identify Sensitive Data
You probably work with lots of different types of data — not all of it sensitive. Given that your resources for security aren’t infinite, we recommend minimizing the amount of time you spend on non-sensitive data. However, for sensitive data, there are some preliminary steps you need to take before you can secure it adequately. This includes determining what type of data it is, where it is located, and what level of security it needs. This is information that you need to develop the security policy that best fits your organization.
3. Focus on Encryption
You must make sure that data at rest (in storage) is encrypted. For example, many organizations already use the HTTPS protocol, but its encryption only applies as data travels between devices? Once received, the data may not be reencrypted (and the data might not have originated from an encrypted source either). This highlights another major cybersecurity weakness: data transfer. You should ensure that the channels with which the data is transferred is secured and cannot be “tapped into” by malicious parties (eg, via the use of VPNs). Even just a small lapse in encryption is enough for someone to access data to which they are not authorized.
4. Automate as Much as Possible
If you need to use your data, it must be unencrypted first. Then, when you are done, it needs to be re-encrypted before storage. All of these steps add to your workload, so if you can automate such tasks (among others), you can minimize the likelihood of introducing human error that can compromise the security of your data. For example, you obviously shouldn’t grant access to sweeping areas based on something like having a company email address. As a result, identity management software offers features like groups and roles. Based on users’ assignments, they are given proper data access without anyone having to manage them on a granular basis.
5. Secure the Data, Not the File
Access control should follow the information, not the file. While traditional security methods focused on locking down all files of a given type, a data-centric model should focus on the information itself. Otherwise, hackers could circumvent the file system and tap directly into the data.
6. Control Application Access
This step might seem like a blurring of the lines between traditional and data-centric cybersecurity, but we recommend enforcing the specific applications that can be allowed to access data. For example, you could mandate that a particular application must be used to open a particular file type. This helps deter users from using unsafe, out-of-date, or otherwise malicious applications from opening secured data.
7. Emphasize Protection for Risk Points
Just as you shouldn’t spend time on non-sensitive data, don’t spend resources on areas where there’s not likely to be a weak point leading to a data breach. There are lots of places to apply your cybersecurity resources: data access, the cloud itself, the channels by which data is transferred and your digital outlets (eg. websites.) The team at WhoIsHostingThis stress the importance of reliable website hosting in particular, which can help ensure your site is secure for your visitors. Ultimately, knowing what the weak points are helps you focus on the riskiest areas.
8. Watch Your Data
While constant monitoring of your data can get expensive, gathering a robust information about it can help inform the security decisions you make. It can also provide you with the knowledge you need to fix issues in the event there is a data breach. You’ll be able to identify when and where the attack happened, its reach, how successfully the malicious parties were, and so on. Furthermore, with the advent of Big Data, you can use the information you collect to improve on the security programs you implement.
9. Use Device-Agnostic Protection
There are so many places data can live — servers, individual workstations, mobile devices, cloud-based environments, apps of all types. You should strive for device-agnostic protection if at all possible. Though it may seem challenging at first, finding a solution that is device- and platform-agnostic means that you have fewer gaps to fill in at a later date when you realize that there’s an entire group left unprotected due to the tool choices you made earlier.
10. Train Users of Data Properly
Make no mistake: adding layers of security to protect your data means that it is more challenging for people to use the data. As such, it can be easy for busy people to justify skipping seemingly unnecessary steps. We recommend that you train yourself and your employees on how to handle the data properly, as well as why such steps are essential. This kind of training doesn’t make the tasks easier or any less time consuming, but it does serve as a reminder that there are reasons for any policies or protocols you might implement. As much as we emphasize the use of automation, users are still an important component of all security programs!
Summary
With the increasing risk of breaches, as well as the increasing importance of keeping users safe, data-centric cybersecurity should be the paradigm organizations use when developing their security programs. Instead of focusing on the physical storage mechanisms, focusing on data allows for the use of complex measures that increase the protection offered to all parties involved.