Every organization has data that is vital for its organizational growth. Typically, most organizations build security around infrastructure, network and applications. But with data leakage becoming more prevalent, organizations are now considering data to be their crown jewel.
Data can be classified as structured data or unstructured data. Structured data is mostly stored in a database, but usually more than 80 percent of data are unstructured.
Enterprises need to protect the data from unauthorized access not only from external users but also from internal users, so virtually all organizations are building security controls around data-centric security. Data-centric security embeds controls into the data itself so that these controls are intact to the data even when the data is at rest or in motion, or while the data is being utilized in an application. In data-centric security, data is independent of the security of the infrastructure, be it device, application, network or the method of transport of data.
Data leaks not only have a negative impact on the reputation of the enterprise but also can lead to penalties/legal action from regulators. New regulations require the organization to build controls around the security and privacy of the data regardless of whether the data is intended to be used internally or intended to go outside the organization’s boundaries.
At its core, data-centric security can be considered among the following categories:
- Data Classification – Data Classification is a process of identifying, labeling and classifying the information/data, preferably according to the sensitivity or criticality of the data. Most of the classification tools have elements of machine learning based on content and context. The classification of the data increases the effectiveness of DLP, CASB and EDRM tools.
- Data Leakage/Loss Prevention (DLP) – DLP is a system that performs real-time scanning of data at rest and in motion, evaluates that data against existing policy definitions, identifies policy violations and automatically enforces some type of pre-defined remediation actions such as alerting users and administrators, quarantining suspicious files, encrypting data or blocking traffic outright. DLP takes time to mature and requires participation from the entire organization, especially in setting the policy.
- Cloud Access Security Broker (CASB) – Since now most of our data is residing in the cloud, be it private, public or hybrid cloud, CASB helps in identifying, monitoring and controlling enterprise data in cloud infrastructure (including applications hosted on cloud), and extends controls to the cloud applications.This also often is referred to as Cloud DLP in terms of data-centric security.
- Digital/Information Rights Management (IRM, DRM, ERM, EDRM) – DRM is basically the rights of the data owner/custodian of the data. It embeds the security controls into the data itself. The controls remain active even if the data is in use, and also remain active during the movement of data. This helps the enterprise to have control over the data, even if the data has left the boundary of the enterprise. Some popular controls for DRM are self-destruction of data or disallowing copy/paste/print of the document.
Data-centric Security Scenario
Suppose one of the directors of the enterprise is on leave and has no access to corporate emails or applications. An urgent board note (confidential document) needs to be vetted by him. Now the director asks his office to send the message to his personal email for review. His office sends him the board note to his personal email.
How can the security of the document be ensured?
Can we assume that after reviewing the note, he has deleted the data from his device or email inbox? Can the enterprise be 100 percent sure that the data would not be misused in future? No!
But if we enforce DRM on the document, we can set the period to the life of the document itself. We can even recall or revoke access to information that we have shared to anybody. DRM maps the policy so that the document can be protected automatically whenever it is discovered, detected, downloaded or shared.
Emergence of Data Privacy and Protection Laws
The year 2018 was significant for privacy and data protection laws in the world, with new measures such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Bahrain also passed a new, comprehensive data protection law, making it the first Middle East country to adopt a comprehensive privacy law.
One of the most significant privacy law developments of 2019 is expected from India. India’s draft bill introduces specific rights for individuals as well as requirements that processing entities have to meet. For example, businesses will need to implement organizational and technical safeguards regarding the processing of personal data, including for cross-border data transfers. The law also calls for the establishment of a Data Protection Authority for overseeing data processing activities.