Building Business-Centered Data Protection: 3 Foundational Steps

Jeremy Wittkop, CTO

10.07.2020

The world is changing quickly. It stands to reason that Information Security leaders must also change their thinking to adapt. But in most organizations, it’s not that simple.

Old habits die hard and many people do not want to change what is familiar, even if it no longer works. That is why organizations continue to invest money and effort in perimeter-focused security, even when the consensus across the security community is that the perimeter is dead. Organizations need a fundamentally different approach to keep up with the modern threat landscape. However, most security programs disproportionately emphasize perimeter and on-premises security approaches, while treating cloud security as a separate entity.

As Marshall Goldsmith says, “What got you here won’t get you there.”

To move to the adaptive approach that’s required today, we need to shift our understanding of what we are protecting. “Perimeter security” is reminiscent of an old world in which we protect places. “Data security” is an improvement in perspective, but it still misses the point.

What we really should be doing is protecting the business.

What Is Business-Centered Security?

This approach doesn’t start with technology. Just like it sounds, business-centric security puts the business and its interests at the center of the program. It’s the difference between protecting a building and protecting a person. A building is static; you can protect it by building walls and fortifications. People are dynamic; they move throughout the world interacting with others and constantly changing locations.

For Information Security teams to be successful in the modern world, they need to think less like castle guards and think more like bodyguards.

In a practical sense, what that means is defining the lifeblood of the business—its critical data assets—as the foundational element of any information security program. Only then can you determine what technology you’ll need.

3 steps to build business-centered security

Think about how the secret service operates. When the president is visiting a new place, do you think the secret service agents simply get in the car with him and hope for the best? Or do they know everywhere he is going to go, make sure the route is safe for him beforehand, and set up observation posts along the route to look for any anomalies that may threaten his safety?

That approach is how we look at business-centric security. At InteliSecure, when we create a data-protection strategy, we start by defining a Critical Asset Protection Program. A CAPP is a multi-faceted approach that starts with three actions:

  1. Identify the data that is critical to the business and understand where that data flows inside and outside of your environment.
  2. Deploy the appropriate technology controls to monitor that data and protect it throughout its journey.
  3. Invest in the people necessary to maximize the value of the program.

Take a Practical Approach to Evaluating Data Protection Technology

When you start with the business in mind, you can see a logical progression for shifting your data security strategy. Information technology tools are not the focus of the strategy—but they are essential to its implementation. Thus, you’ll want to keep some technical considerations in mind as you work through the strategy steps.

Identifying critical data assets and how they are used

Today, technology solutions approach data identification in a couple of ways. The first is through content analytics. Today, the best-known method of analyzing content is a set of technologies and capabilities known as data loss prevention (DLP). These technologies have been around for some time and still represent the simplest way to identify specific content. Since the advent of GDPR and other global privacy regulations, we have seen privacy-focused DLP solutions come to market that fill the same role, albeit for a more specific compliance purpose.

The second way to identify data is through data classification and tagging. Thanks to Microsoft, many companies have this capability as part of their licensing scheme, whether they have deployed it or not. Some technologies allow organizations to classify and tag information without a heavy reliance on the end user but in most cases, data classification is user driven.

Both approaches have strengths and weaknesses. DLP takes a governance-centric, top-down approach. The inherent weakness here is speed; there is always a time lag between the creation of a new type of sensitive information and when it is recognized in the governance structure. As a result, that data is at high risk during the lag time.

Data classification is a bottom-up approach that relies heavily on the end user. It does not suffer from the speed challenge that the governance approach does because users can classify the information at the point of creation. It does, however, suffer from human error and intentional misuse.

When you combine both technologies, in a trust but verify strategy, you can comprehensively identify your data; one technology compensates for the inherent weaknesses of the other.

Set up observation posts wherever data will go

When it comes to identifying anomalous data use, many organizations assume no news is good news. In fact, most organizations that do not see any unusual data use or user behavior are looking in the wrong places—or not looking at all. Blindness is not equal to security. What you don’t know will hurt you.

Data observation means ensuring you can inspect data on laptops and desktops you own and in your on-premises networks, email systems, web proxies, and cloud services. You may deploy one or many technologies to accomplish this. It is important to ensure you are observing comprehensively and in the right places.

Identify anomalous behavior in individuals and data

Make no mistake, even with all the sophistication of attacker technologies, AI, and intelligent malware, there is a human being behind every attack. At some point, you must have an intelligent defender to thwart an intelligent attacker. Technology can help but at best, it plays a supporting role.

In many cases, your security teams can apply User and Entity Behavioral Analytics (UEBA) tools or other capabilities in concert with your chosen data and cloud protection technologies. Those tools provide some insight into user behavior and potential account compromises. Some may even allow you to modify policies in real time based on the risk rankings associated with a user or account.

However, when it’s time to evaluate, escalate, and take action on a security event, there is no substitute for human decision making. There is no shortcut; you must have good analysts looking at data events and applying the proper status based on a qualitative analysis of the event and the surrounding context.

It takes a human to protect against attacks originating from humans.

Putting the Strategy Together

It’s important to recognize that today, no one platform covers all the requirements for enterprise data protection. Organizations will need to carefully examine the information security technology solutions they are using and analyze where there are gaps—and where there may be overlaps.

The key to success in a business-centered data protection strategy is the ability to integrate disparate tools, policies and procedures, and human actions in a harmonious fashion.

If the people running your data protection program are inside your organization, expect to invest continuously in training. They will need the skills to adapt at the pace of the business, embracing new technologies and tactics as things change.

If you choose to outsource, choose a services partner with focused expertise in these areas.

By building a Critical Asset Protection Program with InteliSecure and implementing the proper technologies, you are essentially planning your route, establishing your observation posts, and defining normal data behavior so anomalies may be easily identified.

By taking these steps you can successfully shift from network and perimeter-based security to business-centered security and help protect your organization into the future.

What is the focus of your current data protection program?

If you’re still investing in perimeter-focused security—but your users are working outside the perimeter—it’s time to consider a business-centered strategy. Let us help. Contact InteliSecure for a no-obligation whiteboard session.