Data security controls, or more specifically, data-centric cybersecurity controls are based on a security approach that emphasizes the security of the data itself over the security of devices, applications, servers, or networks.
The digital transformation of organizations and the increase in companies that trust data more than ever (data-driven organizations, McKinsey) to drive their business operations, is making data-centric security grow bigger than ever. With corporate data stored in different locations such as the cloud, local systems, distributed databases, etc., the need for security frameworks and strategies such as Zero-Trust (promoted by Forrester) or SASE (promoted by Gartner) is reinforced.
In this article, we are going to talk about data-centric security controls from a mainly technological approach versus a process or organizational approach. Specifically:
- Increased risk on corporate data. Summary 2020
- Key elements of data-centric security
- Technologies in the field of data security.
- What data security controls can best help me meet my protection goals
Increased risk on corporate data. Summary 2020.
According to the report published by Risk-Based Security 2020 Year End Report Data-Breach, during 2020 there was a 141% increase compared to the previous year in compromised records due to data leaks. The increase in leaks due to a ransomware attack grew by 100%, with the health sector being the most attacked with 12.5% of reported data thefts, followed closely in a third position by the financial and insurance sector.
Also rising are organized groups that, after perpetrating attacks and theft of data on organizations, make this data public, such as the case of “ShinyHunters” which in the last quarter of 2020 published sensitive data extracted from some 17 companies from different sectors.
In 62% of reported leaks, access to sensitive data was confirmed. 77% of the thefts were due to attacks of external origin and 16% to internal origin. Of the latter, 69% were due to errors and failures.
According to the Verizon report “2020 Data Breach Investigations Report”, Data thefts where the attack takes a greater number of steps to achieve its objective, which are mainly caused by Hacking and Malware, compromise for the most part the Confidentiality and Integrity of the data compared to Availability. Attackers persistently work their way through the corporate network to reach their target, the data, and compromise the confidentiality of the data.
In many cases, attackers go unnoticed as internal users, so network or perimeter control measures are no longer effective.
Key elements of data-centric security
There are different key elements for an effective data-centric security system:
- Identification, discovery and classification of sensitive information: The target of an attacker, whether internal or external, is usually the most sensitive and valuable information: data through which he can directly or indirectly obtain benefits. On the other hand, there are also data related to some type of regulation such as EU-GDPR, PCI, or others. In some organizations this is stored in certain repositories known to the teams, however, it can also be distributed and in these cases, tools that allow identifying where it is, can be useful for an organization that wants to implement data-centric security controls.
- Data-centric protection: Data-centric security controls focus on securing the organization’s valuable content so that it can be protected from potential unauthorized egress from the network, cloud, or data leakage. We can know where the sensitive information of the organization is, but it will be of little use, if we don’t apply measures to protect this information wherever it travels.
- Audit and monitoring of access to data: To determine the level of risk on corporate data, it is important to be able to analyze its use and determine if the behavior patterns of users on the data are outside a certain standard.
- Administration and management of data policies: Who should or shouldn’t have permissions to access the data isn’t something that is established in a static and lasting way. You must be able to apply dynamic policies on the data so that if you stop collaborating with someone or if it is detected that a certain person may be at risk, we can revoke access to it or try to prevent it from leaving the corporate network.
Data security controls attempts to offer organizations the following benefits
- Mitigate or prevent data leaks derived from inappropriate actions by employees, whether accidental or malicious: Try to block the exit of sensitive data from the network or, depending on the technology, the information travels protected and only users who have permissions on it will be able to access it.
- Facilitate secure collaboration establishing different measures of access or collaboration depending on the level of sensitivity of the information. You can let share it with third parties or not, or leave a limited access control depending on whether it is highly confidential or not.
- Help compliance with data protection regulations: Regulations such as EU-RGPD, force companies that have someone else personal data to have them controlled. Encrypting them, blocking the exit of the network, and auditing their use, an attempt is made to facilitate compliance with these types of regulations.
- Protect against network security breaches that may lead to data exfiltration: There is continuous news in the press of attacks of all kinds, such as ransomware, where documents, emails and internal data of companies are exfiltrated and they are extorted with the publication of this data. There are multiple entry routes for these types of threats in the corporate network, and in this case those that encrypt the data add an additional level of control, which protects the data against a possible breach in the network.
To implement a security strategy focused on data, we find different technologies and security controls on the market with different objectives. Some of the best known are summarized below.
Technologies in the field of data security
Encryption technologies protect idle information and when in transit. However, once decrypted the user has complete control of it and access control can no longer be guaranteed. There are different types of encryption technologies, highlighting the following in terms of implementation in companies:
- Disk encryption: They have been incorporated into hardware manufacturers or even into the operating system itself (Windows, mobile manufacturers, etc.) where it is possible to encrypt the disk. It is limited to preventing data loss if the device has been lost.
- Email encryption: A layer of SMIME/TLS is built into the email to transmit it end-to-end encryption. It provides protection in transportation basically.
- File encryption: There are multiple tools based on the management of passwords or certificates such as PGP (public/private key). They provide protection when idle and in transit, but not in use.
DLP Technologies (Data Loss Prevention)
A DLP-type data protection system tries to block the output of confidential information from the network sent by email, copies to USB, etc. They are focused on a perimeter security model and don’t fit well into the new business context without a perimeter. They focus on that sensitive information doesn’t leave the “castle”.
The rapid adoption by cloud companies and the arrival of mobile platforms (iOS, Android) has been a challenge for this type of technology, which has had difficulties adapting to reality. This has led to the emergence of specific products to control security on mobile devices such as EMM (Enterprise Mobile Management) or MDM (Mobile Device Management) platforms, CASB (Cloud Access Security Brokers) platforms, and there has been a greater evolution of the E-DRM / IRM technologies towards what is called IPC (Information Protection and Control) with the aim of securing information in any location.
DLP systems are divided into two areas according to Gartner:
- Enterprise DLP: They offer a central console for policy management and monitoring and control the output of information through different scenarios such as endpoint or user station, or network. They also do information discovery.
- Integrated DLP: They are solutions integrated natively with some products already extended in the market. An example could be the Microsoft Exchange mail server, which in recent years has incorporated DLP rules to detect and block the leakage of information through Email.
These technologies work in the field of data discovery, protection (trying to block the output of information from the network) and monitoring information while it is within the perimeter. Of course, once the information has left the network, they can no longer do anything to protect it or monitor its use unless they are integrated with IRM / E-DRM / IPC technologies. On the other hand, to avoid false positives they are often combined with information labeling or classification tools.
Identification, discovery and classification of data
They allow the data to be identified and cataloged according to the level of confidentiality (confidential, internal, public, etc.). They also allow discovering data within the organization that may be linked to compliance with a certain regulation such as PCI, EU-GDPR, regulations in the field of the health sector, etc.
We can differentiate them into two types:
- Automatic discovery, identification, and classification: They locate sensitive information on the network and automatically classify it based on different patterns without user intervention. Through the scanning of certain repositories, and based on dictionaries linked to specific regulations, they allow to discriminate and classify the data.
- Manual classification performed by the user: It is the user who labels the documents according to the level of confidentiality (e.g. public, confidential, etc.). In this case, there is really no identification, without simply labeling or classification, which, when carried out by the user and not by an automatic system, can help avoid false positives.
They are tools that allow the information on the corporate network to be cataloged, but by themselves they don’t protect the information or audit its use. Actually, when it comes to protection, they are still a complement to a DLP or IRM / E-DRM / IPC technology, since they don’t protect the information and only classify it.
CASB Technologies (Cloud Access Security Brokers)
Gartner defines the market for CASB, or Cloud Access Security Brokers, as products and services that address security gaps in the use of cloud services by an organization. This technology is the result of the need to protect cloud services that are being adopted at a significantly high rate and access to them by users both inside and outside the traditional business perimeter, in addition to an increasing direct access of cloud to cloud.
CASB providers understand that for cloud services the protection objective for the organization is the following: it is still your data, but processed and stored in systems that belong to someone else. CASBs provide a central location for policies and governance concurrently across multiple cloud services for users and devices, and granular visibility and control over user activities and sensitive data.
A CASB has four functions aimed at protecting company data:
- Visibility – Provides information about which cloud services are being used.
- Compliance – Ensuring that data in the cloud meets retention and compliance requirements.
- Data security – Access control and privilege management, but while the data is in the cloud.
- Threat Protection – Identify compromised people and accounts
The CASB is located between the users and the cloud, checking and monitoring who accesses, if they have access privileges, etc. It prevents downloads depending on the security policies of the company or alerts of possible threats due to having “public links” to information stored in the cloud..
However, the CASB’s approach is to control access to information in the cloud and the identity of who accesses it, but they have certain limitations:
- If all the traffic of a company is intercepted and impersonates the CASB, the large investments in availability and geographical distribution by the cloud providers are not taken advantage of, appearing points of failure in the architecture since the resources of the CASB providers are lower than those of cloud platforms.
- There is only control while the information is in the cloud, but not once it has been downloaded and is out of the cloud.
- The remediation is based on blocking downloads only or on the control of permissions and encryption of the information data when it is stored. Once documentation leaves the cloud, there is nothing they can do to protect, control, or block access to it.
Information Rights Management (IRM) / Enterprise Digital Rights Management (E-DRM) / Information Protection and Control (IPC)
Enterprise Information Protection and Control (IPC)
The ability to control information even outside the cloud is within reach of IPC (Information Protection and Control), or IRM / E-DRM (Information Rights Management / Enterprise Digital Rights Management) technologies that allow you to protect the information wherever you travel:
- Protection travels with documentation wherever it is.
- You can limit the permissions on the documentation (Only View, Edit, Print, etc.).
- Es posible monitorizar accesos a la documentación, esté donde esté.
- It is possible to monitor access to documentation, wherever you are.
- Access to files can be revoked, regardless of where they are located.
In the case of a data-centric approach to security, protection must be user-driven or managed by the administrator to protect specific folders.
If we talk about a Cloud environment, folders or documentation repositories are encrypted in systems with O365, Box, etc. so that everything stored in these folders is automatically protected.
These technologies can work integrated with classification tools, automatically protecting classified data depending on the level of confidentiality, DLP or CASB, making the information that travels inside or outside the corporate network, or cloud, always travel protected and under control.
What data security controls can best help me meet my protection goals?
We have to review within the organization what is the priority when implementing a security strategy focused on data:
- Do I want to start protecting the information that I store in certain repositories and computers without starting a classification or identification process?
- I have certain critical data protected, but want to locate where other data is that may be easily leaking?
- Do I have most of my data within the perimeter and do I want to block its output at all costs?
- I have made a quick transition to the cloud, and am I interested in having additional security controls than those offered by the cloud platforms themselves?
- My organization’s perimeter is more blurred than ever, with data on and off the network, and I want to control the data wherever it travels?
The answers to these questions will make us prioritize a certain technology and solution and opt for it.