Maksim Kabakou - Fotolia
Security Think Tank: Data-centric security requires context and understanding
The belief that effective perimeter security is the best way to protect data is a fallacy that is being repeatedly exposed. We must recognise the need for a data-centric security model to protect data from both internal and external threats, but what does this mean for security professionals?
Some people say “the perimeter is dead”, but I think this statement is very far from reality. The concept of internal (non-public-facing) systems and external (public internet-facing) systems is still a reality for all organisations.
The technical, logical and physical controls separating what is public and what is private differ per system and network. Perimeter security is a component of an overall approach to data protection which includes both preventative and detective measures.
Perimeter security is not just a firewall or a network router; it’s also a combination of secure web applications, strongly verified logical controls, maintained and patched systems, appropriately configured systems, and exposure of only the services and protocols that are required.
So, perimeter security is not a network control, but rather the combination of technology and processes to prevent unauthorised access and potential breach and data loss. There may also be multiple layers of perimeter as we traverse a network in order to segment more sensitive areas and data.
Data-centric security focuses on security of data based on context, value and compliance controls surrounding the data being secured. This view helps us apply appropriate technical and local security controls depending on what is being secured. Data-centric security may result in reduced security controls surrounding less critical systems and data, saving on resource usage and budget, which can be applied to improving security on more sensitive areas.
Data-centric security may also “silo” data based on sensitivity and criticality – for example, having more sensitive data stored in an encrypted database with an associated key management server and strong multi-factor authentication controls, coupled with network controls limiting traffic flow from source to destination. This sensitive component may also undergo more rigorous monitoring, security penetration testing and vulnerability management.
Data-centric security attempts to apply strong controls where needed, resulting in better allocation of resources, budget and a stronger resulting security posture.
Security professionals should consider data-centric security, or at least review whether the security controls surrounding various systems and services within a business are appropriate to the potential impact of a breach.
Understanding the dataflows of a system, the components, security controls and possibly developing and documenting a threat model describing the system, risks and countermeasures is a good way to understand how robust the cyber security posture is.
Applying security where it matters is key to any efficient cyber security programme. Attackers generally “go where the money is” and, applying that logic, the defender’s resources should be applied to the same places.
Effective data-centric security requires context and understanding of what is being protected, how it is used, by whom, and the impact of a resulting cyber breach of compromised systems. In cyber security, one size does not fit all.
