Data-centric security embeds controls into the data itself so that these controls are intact to the data even when the data is at rest or in motion or even while the data is being utilized in an application
Data is key to any organization. Every organization has data which is vital for their organizational growth. Most organizations build security around structured data which is mostly stored in the Database. But typically, more than 80% data are unstructured. Organizations need to protect the data from unauthorized access not only from external users but also from internal users.
Data-centric security embeds controls into the data itself so that these controls are intact to the data even when the data is at rest or in motion or even while the data is being utilized in an application.
In data-centric security, data is independent of the security of the infrastructure, be it device, application, network or the method of transport of data. Data leaks not only puts black on reputation but also leads to penalties/legal action. The new regulations require the organization to build control around security of the data and the privacy of the data even if the data travels within the boundary of the organization or data going outside the boundary of organization.
Basically, the core data-centric security solutions consist of the following:
1. Data Classification
2. Data Loss Prevention (DLP)
3. Cloud Access Security Broker (CASB)
4. Digital/Information Rights Management (IRM, DRM, ERM, EDRM)
Data Classification – Data classification is a process of identifying and labelling the information/data preferably on the sensitivity of the data. Most classification tools have element of machine learning based on content and context. This increases the effectiveness of DLP, CASB, EDRM tools.
Data Loss Prevention (DLP) - DLP is a system that performs real-time scanning of data at rest and in motion, evaluates that data against existing policy definitions, identifies policy violations and automatically enforces some type of pre-defined remediation actions, such as alerting users and administrators, quarantining suspicious files, encrypting data or blocking traffic outright.
Cloud Access Security Broker (CASB) – CASB helps in identifying, monitoring and controlling the enterprise data in Cloud Infrastructure and it extends control to the Cloud applications. It is also sometimes referred as Cloud DLP in terms of data-centric security.
Digital/Information Rights Management (IRM, DRM, ERM, EDRM) – DRM embeds the security controls into the data itself. These controls remains active even if data is being used or worked and it also remains persistent during the movement of data.
It helps the enterprise to have control over the data even if the data has left the boundary of the enterprise. Some popular controls of DRM is self-destruction of data or disallowing copy/paste/print of the document.
Scenario of Data-centric Security
One of the directors of the enterprise is on leave and have no access to Corporate emails or applications. An urgent Board Note (Confidential Document) needs to be vetted by him. Now Director asked his office to send email to his personal email with the Board Note for his views. His office sends him the Board Note to his personal email.
How can the security of the document be ensured?
Can we assume that after giving his views on the note, he has deleted the data from the device or email box?
Can the enterprise be 100% sure that data would not be misused in future? - NO
Solution – If we enforce DRM on the document, we can set the period of the life of the document itself. We can even recall or revoke access to information that we have shared to anybody. DRM maps the policy so that the document can be protected automatically whenever they are discovered, detected, downloaded or shared.
Emergence of Data Protection Laws
2018 has been a significant year for privacy and data protection laws in the world.
Some of the popular data protection laws are:
GDPR - The EU General Data Protection Regulation (GDPR) took effect on May 25, 2019 and is a regulation in EU law on data protection and privacy for all individuals/citizens of the European Union (EU) and the European Economic Area (EEA). GDPR aims primarily to give control to individuals over their personal data and simplifies the regulatory environment for international business by unifying the regulation within the EU.
CCPA - The California Consumer Privacy Act (CCPA) – a US law – got passed in California in 2018 and takes effect on January 1, 2020. The CCPA applies to businesses (regardless of location), which collects personal information about California residents, including customers and employees.
Bahrain has also passed a new, comprehensive data protection law making it the first Middle East country to adopt a comprehensive privacy law.
One of the most significant privacy law developments of 2019 is expected from India. India’s draft bill introduces specific rights for individuals as well as requirements processing entities have to meet. For example, businesses will need to implement organizational and technical safeguards regarding the processing of personal data, including for cross-border data transfers. The law also says to establish a Data Protection Authority for overseeing data processing activities.
The author is ICT Security, Risk & Compliance Manager, CNH Industrial