From Access-Centric Security to Data-Centric Security

Originally published by Lookout.

Written by Maria Teigeiro, Lookout.

In the early days of internet security, an access-centric security model made sense. Access lists on routers were complemented by firewalls and, later, intrusion detection systems. Given the processing capacity available at the time, this was absolutely adequate and appropriate for protecting a website, even with e-commerce.

But that was the 1990s, and the internet has become so much more than websites with some shopping capabilities. Now, it’s the backbone of our society. The web has given us the infrastructure to make remote work viable, the ability to stay connected on the go with mobile devices, managing various aspects of our lives, like healthcare and finances.

Given that the internet is now accessible everywhere, and there are now millions of cloud apps, why would we want to use the same security approach for today's infrastructure that we used in the nineties? Today, we have cloud-native apps and mobile apps, which enable users to interact with the web without ever reaching the corporate premise. Clearly, we are beyond the days of perimeter security — the firewalls that we’ve relied on for decades now look more like a fishing net than a brick wall.

In a time when apps are updated in cycles measured in weeks, with microservice-based architectures spread across clouds, and API calls to SaaS apps, an access-centric perimeter approach seems as adequate as a horse pulling a car.

Adopting a data-first security mindset

Instead of looking at access, we need to shift our mindset to focus on the data. At the end of the day, where the data resides should be secondary, and the concern should be how to secure the data.

Take a productivity suite like Microsoft 365. If you’re using an access-centric approach, you can upload any file you want there as long as you’ve been granted access. It could be a spreadsheet of donations for a sick colleague or a list with customer credit card numbers. The access-centric approach doesn’t care what you’re uploading. Even with the best of intentions, users are humans who make mistakes and upload the wrong files.

The problem is that there is a whole lot of data users should not be able to upload. With the alternative data-centric approach, the app or cloud becomes the implementation detail to the central policy — for example, that files with credit card numbers should not be uploaded anywhere.

Organizations already know they have sensitive data such as protected health information (PHI), personally identifiable information (PII), payment card information (PCI), intellectual property, earnings reports, and more that need to be secured. Implementing a data-centric policy is as simple as using data loss prevention (DLP) tools to recognize sensitive data and identify the action that needs to be taken with it, including redaction, or masking. In the example above, a user who mistakenly clicks on a file with customer credit card numbers for upload could be challenged or even have those numbers automatically redacted.

This model moves security from the “Department of No” to the “Department of Go.” Instead of inhibiting access to apps because there may be an item of data which is sensitive, the application can be accessed with sensitive data redacted. This fosters collaboration instead of inhibiting it.

Data-centric security enables collaboration

When it comes to protecting sensitive data, your organization needs to be proactive about making sure that data is both secure and accessible to the people who need it. If you’re using the access-centric model, you have to rely on your security teams to audit apps for sensitive data.

But by embracing the data-centric model, you can use modern DLP to identify and classify data as soon as it appears. Not only does that strengthen your security posture, it ensures the data remains accessible.

Here are a few things that become possible with a data-centric approach:

• Blocking uploads and downloads of files based on the content of those files, including images.
• Masking fields with sensitive data in SaaS apps.
• Encrypting files based on content using your keys, which you can expire at any time.
• Removing external email addresses on emails with sensitive data, or removing the data itself.

When security moves from access-centric to data-centric, security becomes a collaboration enabler. It doesn’t block employees from accessing all data just because of the presence of a few sensitive items. And at the end of the day, it’s the data that matters.