The Need for Data-Centric SecurityInformatica's Shields on Protecting Data Beyond Traditional Controls
To adequately protect their data, organizations need to go far beyond encryption and implement a "data-centric security" approach, says Informatica's Robert Shields. That involves, for example, establishing a "data perimeter" using de-identification and masking.
"The traditional view that encryption is a safe harbor is somewhat inaccurate," Shields says. "The way encryption works and the myriad ways in which data is being used in organizations for various purposes... begs the question, how are you protecting the data once its decrypted?"
In this interview with Information Security Media Group (see full transcript below), Shields addresses:
- The current state of data protection and some challenges;
- The concept of data-centric security and its relevance;
- The need to look beyond encryption.
Shields is principal product manager for data security and privacy at Informatica, a software development company. He has extensive information security experience and helped introduce the company's key security technologies. Shields is well versed with encryption, two-factor authentication, computer forensics, eDiscovery and mobile security management from his previous roles.
Data Protection Challenges
Varun Haran: What is the problem with how data is being protected in the enterprise today?
Robert Shields: Protection of data today relies on perimeter security. The never-ending drumbeat of breaches has clearly demonstrated more is needed. Determined attackers - external or internal - can defeat the traditional controls.
Based on research we've done with the Ponemon Institute - we brought out our second annual research called the state of data security intelligence - we've asked basic questions, like what is your confidence that your organization knows where all its sensitive data is? Moreover, if you do know, do you understand the risks to it? Some of the responses are shocking - there is very low confidence in enterprises today.
Haran: What are some of the challenges that you see in the market as far as how sensitive data is protected is concerned?
Shields: From an information assessment standpoint, locating the data that organizations should be protecting is typically a very manually intensive process. The data is usually correlated into spreadsheets or some custom reporting tool they may have. The process may take up to nine weeks. So by the time the data is correlated, its out of date.
If you look at the rate at which applications multiply in an organization, the rate of data growth, and the rate at which personnel transitions happen, you need these assessments to be done in hours, versus weeks or months. This is one of the first inherent weaknesses that's out there today.
The second part is in protection. What is happening in the marketplace is that many folks have mistaken encryption as the primary control that should be used, along with access controls, to protect data. That's somewhat inaccurate, given how encryption is used to protect data. There are many cases where data is used by application, or is shared across the organization to warehouses and Hadoop clusters for analytics and reporting, where the data is now decrypted and in the open. This is where the de-identification, the de-sensitization of data is very important, where masking plays a key role along with encryption and tokenization.
Haran: What is the basic premise of data-centric security and how is it relevant to the security discussion today? What are the key components of a data-centric security model?
Shields: Data-centric security adds a "data perimeter" to the security infrastructure. The data perimeter relies on organizations understanding their sensitive data - its location, proliferation, protection status, value, etc. With this understanding, protection can be applied on the vulnerable data, and traditional security controls can be deployed/re-deployed and aligned to help remediate data risks.
Data-centric security begins with defining the data; the identification of sensitive data requires context. How is the data used, and what data is presented together will greatly influence how sensitive data is defined? With these definitions, deep discovery can then help organizations locate their sensitive data; this includes data and metadata scanning indicators or patterns of sensitive data. Once data is located, the data can be analyzed to determined risk.
Risk includes location, protection status, proliferation, cost, classification, etc. This provides organization a detailed landscape of their enterprises and where data risk should be remediated. Finally ... while some organizations have encrypted data at rest, encryption with masking can lower risk of vulnerable data by removing identifying or sensitive data.
Role of Masking
Haran: How is masking significant to the Data-centric security paradigm?
Shields: Encryption is being considered as somewhat of a safe harbor, when it comes to protecting data. The problem with that is that is only covering two use cases of the data itself - the data is being transmitted somewhere and is encrypted, or the data is being stored somewhere and is encrypted. There's a lot of other ways data is being used; its used by applications, by humans for viewing.
Creating a sensitive data landscape across an organization is a necessity. Encryption should be used, period. But encryption needs to be done with masking for sensitive data to address the gaps that encryption alone can't. For instance, when you have the need for groups of users to run analytics on data, does that necessarily mean that the group needs to see all the sensitive elements associated with that data store? Masking ensures that sensitive data can be accessed without potentially expanding the attack surface.