Data has become a business strategy. If you’re reading this and thinking, “No, data drives business strategy,” you are also right, but the fact is that over the past 10(+/-) years, businesses have made the conscious decision to collect, process, and use as much customer and product- or service-related data as they can get their hands (keyboards?) on. This concerted effort to amass data has become so foundational to how businesses operate and how decisions are made that it would be impossible to decouple data collection and processing from top-line strategy.
To support this business effort, organizations are running on more data than ever before. According to a survey conducted by Interop, 62% of enterprises are growing their data at a rate of 10% or more year-on-year. This equates to the average-sized organization actively managing terabytes of data. Larger organizations may be actively managing petabytes today, and it’s not crazy to imagine that number growing into exabytes over the next decade. All of this data takes different forms — raw data, data inside of databases and applications, and data that make up databases and applications. Further, organizations’ data are spread across multiple networks, making it hard to manage and even harder to protect.
Segmenting the network, bit by bit
In the current shift from on-premises to cloud-based infrastructure, it only makes sense for organizations to also shift perspective from network-based security controls to data-based security controls. However, old habits die hard. For over two decades organizations segmented their networks using an “outside versus inside” approach — coarse-grained zoning tied to network constructs. In other words, everything outside of the perimeter was considered “bad” and whatever had passed into the network through a security control was deemed “good.” More recently, and with the advent of enterprise mobility and IoT, companies have come to realize that a security control at a perimeter is insufficient to protect the organization. Some estimates say that up to 70% of current network traffic is east-west (i.e., inside the perimeter), meaning that it never passes through the perimeter. Perimeter-based controls, therefore, are irrelevant to that traffic.
As a consequence, many organizations started creating internal “microperimeters” to catch traffic as it communicates from application to application, host to database, etc. While microsegmentation does add greater control than what’s present on a flat network, there are downsides to traditional, network-based microsegmentation, not the least of which is that traditional microsegmentation relies on network constructs—IP addresses, ports, and protocols—to function. In a cloud environment, these constructs are ephemeral at best. Organizations must be able to protect data wherever it is being used, viewed, or stored, without needing to capture network information.
Come visit Edgewise at AWS re:Invent, November 27-30, 2018
Infrastructure-independent data protection
Data-centric security is the best way to ensure that data, applications, and services are protected at all stages, regardless of network environment. Implementing a data-centric security strategy traditionally requires organizations to undertake data discovery and classification, then build and apply controls based on data type, sensitivity, legal/compliance requirements, access control lists, etc. Fortunately, large chunks of these processes can be automated, removing the heavy burden of manually searching for and categorizing the entirety of the organization’s applications and services across all of their public, private, and hybrid cloud environments.
To date, encryption is the industry’s baseline data-centric security control. According to a recent survey, 74% of end user organizations have partially or extensively deployed public cloud encryption. Though this high number is encouraging on the surface, it by no means that all of the organization’s sensitive data is protected. In addition to gaps in coverage, whether due to the complexity of encrypting data in the cloud, the cost of encryption, or concerns over system performance impact, apps and configurations that define the network need to be decrypted to run (i.e., leaving applications exposed), keys or tokens can be stolen, and all it takes is a set of valid user credentials to bypass encryption.
To compensate, most organizations layer security, including firewalls, antivirus, data leak prevention (DLP), intrusion prevention, network access controls, or some combination thereof. A thorough cybersecurity program isn’t just one tool or process, and in today’s cyber threat landscape it’s critical to include a data-centric, environment-agnostic capability. Though adopting a data-based approach is less familiar (aside from encryption) to many security practitioners than a network- or infrastructure-based approach, organizations simply collect, manage, and store too much sensitive data to continue to operate on an “outside-in” security framework. Breaches have, perhaps, become expected, but that doesn’t eliminate the pain when it happens. Security teams need to decouple security strategy from network constructs and center on protection and detection that travels with data and applications, no matter where they are running, regardless of who’s trying to access them and from where. This can incorporate elements of microsegmentation, but to tackle today’s data-centric business requirements, security control must be tied directly to data and applications and independent of environment.
Security’s charge is supporting business initiatives. Since the business has put a top-line focus on data, it’s time for security to focus there, too