With the number of data breaches rising each year, it was always a matter of time when the existing security systems would have to evolve to keep up with the mounting number of exploits and techniques to steal a company’s data. Unfortunately, many companies still tend to use the traditional security system that creates a virtual perimeter around the entirety of the organization’s data.
The problem with this kind of approach is that all of the perimeter defenses are useless when the source of the data breach is inside this perimeter already. Data security budgets tend to get into the extreme numbers, and all of that is all but useless when faced with an insider threat.
Insider threat is a type of security incident that implies either a contractor or an employee mishandling/sharing sensitive information, be it for a personal gain or by complete accident. There are zero companies out there that are immune to this type of data loss, simply because it is another part of the so-called “human factor” that is impossible to get rid of completely.
This problem is made even worse with the fact that a lot of trusted sources from within the company have a far wider range of ways to access a company’s data, be it with different devices, different applications, or from different locations. That also includes contractors, partners and other trusted sources that work with the company in question without being under the employment contract.
There are three main reasons why a traditional “perimeter” type of data security is no longer effective as a whole. The first problem is the fact that your employees have to have access to information to do their job – and it is extremely problematic for traditional systems to track what a specific user does to a piece of data after getting access to it for work-related reasons.
The second problem is also one of the advantages of a modern data system – the ability to access information from almost any location, which means that the data in question is constantly in motion, making it even harder for traditional data security systems to keep up with them.
The third problem here is more about the variety of different use cases that can be theoretically possible for a single file or other piece of information. Data usage control and data sharing control are essential here (the reason for that is the second problem), and it is downright impossible to perform using the traditional data security system.
A solution to this problem does exist – and it is called data-centric security. It is not just a new variation of an old “perimeter” type of security structure, but an entirely new approach to data security as a whole. It is no longer possible to keep track of everything while protecting the container that the data is stored in (be it a network, a server, or something else), which is why the new approach is used to secure the data itself, and not the storage location it uses.
Since data centric security is a completely new approach as a whole, it is wise to go over some of its key features and capabilities, to make the difference between the two easier to distinguish:
- Data Classification
- Data Discovery
- Data Tagging
- Digital Watermarks
- Data Loss Prevention
- Zero Trust Access
- Data Governance
- Attribute-Based Access Control (ABAC), and More.
In this case, we are going to go over data classification and digital watermarking a bit more thoroughly, since both are rather important for the whole system to work properly. Data classification is the bread and butter of the entire data-centric security model – the ability to identify how sensitive each individual piece of information is. There can be multiple different options in terms of how to classify your data, depending on a number of reasons – applicable regulations, internal governance policies, etc.
Digital watermarks, on the other hand, are a bit more specific – it is a method of embedding information into a specific data piece. Not only the usage of digital watermarks can help with identifying the owner of the data piece, but it can also be used to identify confidentiality levels and to track the custody history of this particular document.
Other measures of security such as DLP can also be used to protect documents, but they have their own weak spots – for example, taking a screenshot of a document, or assuming that it’s not possible for a leaked information piece to be traced back to the leaker. Digital watermarking is a measure of protection that is harder to circumvent than these systems – watermark security can adapt to both the use case of a document and to the user itself.
Data-centric security is a new leaf of the modern data security world, and its importance would keep rising with the number of data breaches – and those show no signs of stopping anytime soon.