Getting Started with Data-centric Security

With a proliferation of cyber-attacks throughout the pandemic, data-centric security has been pushed to the forefront of many organizations’ cybersecurity strategy. Even companies with mature security programs are vulnerable to breach, and since data is a valuable asset, it is crucial to properly protect it. The importance of securing data, whether it is at rest or in-use, is being understood as companies realize the consequences of data breaches and non-compliance with data privacy regulations.

What is data-centric security and why does it matter?

The answer is practically in the name. Data-centric security centers itself around the data; it focuses on securing data where it is stored and processed, rather than solely protecting the perimeters around it. It takes a zero-trust approach alongside the principle of least privilege with regards to user access, ensuring the utmost protection of valuable assets.

This matters because, with the surge in cyber-attacks, many organizations have had to deal with the repercussions of data breaches, such as reputational damage, fines for non-compliance, and loss of business.

Furthermore, with data security a key consideration when arranging an organizations budget, by following a data-centric model provides not only the best type of protection against threats, it also delivers the highest value and minimizes compliance burden.

How should a company get started with data-centric security?

When companies decide to implement data-centric security, they are able to take control of their own sensitive data, which lowers compliance costs and reduces the risk of data breaches drastically. There are 5 steps to implementing data-centric security:

1. Locate sensitive data: First, companies must identify all places where their data is stored, processed or used. This is a necessary first step in complying with regulations, by carrying out regular risk assessments, logging access and data disposal.
2. Data minimization and reduction of scope: This is a common best practice to reduce the amount of data being processed within the organization. It has the advantage of minimizing general risk and reducing the time, effort and costs that are associated with securing data.
3. Data protection risk impact assessments: With the threats to personal data and cardholder data continuously changing, organizations must conduct regular reviews to measure how well their data is protected and update their security programs accordingly.
4. Define policies & protection methods: Security policies should define which data is going to be protected and how. Data classification tools can help by identifying data elements and deciding the right protection methods to use. For example, every employee’s account poses a vulnerable attack vector, so access should be extremely limited.
5. Have an audit trail: Companies should always log their access to sensitive data, as it is an indispensable part of any data security strategy. Access logs are also useful for proactively detecting potentially malicious activity.

With attackers continuously focusing on data assets, endpoints and identities, we must shift the focus from securing networks, applications and endpoints to identifying and protecting vital data. Not only will companies be better prepared in the event of a breach, but they will also be uniquely positioned to protect their assets that matter the most while adhering to the strictest of security and privacy laws.