In the realm of Information Security, there are layers of complexity surrounding technologies, tactics, models, and strategies. For stakeholders both inside and outside the Information Security discipline, that complexity can sometimes be overwhelming as they seek to navigate, understand, and apply security measures in their own organizations.
It helps to start from a place of common understanding. At its core, the aim of your corporate Information Security efforts is to protect the information that matters most to your business and your customers. That fundamental goal is essential for compliance. It’s essential for maintaining customer trust in your brand. And it’s essential for the very life of your business.
Once you have that understanding, you can consider the methods, tools, and techniques to keep your information safe.
Start with the right question: What is data protection?
The first thing all your stakeholders should understand is that data protection is not a product. It is a discipline that integrates products from different categories to achieve the business objectives of protecting customers’ personally identifiable information (PII), protecting intellectual property, and complying with regulations.
At InteliSecure, we have always focused on data protection as the most important element of any Information Security program. (After all, the word information is in the name.) Some aspects of a broader Information Security revolve around securing traditional infrastructure. However, in the current business environment, data protection is a key business enabler.
The importance of data is highlighted in regulations such as GDPR and CCPA. The consequences of data loss show up in headlines involving companies that have been harmed by data breaches or theft of Intellectual Property. The question is no longer whether data protection is important but what data protection approaches are most efficient and effective.
Where we come from: The outside-in approach
The traditional model for data security is an outside-in model that assumes data is inside a protective perimeter. The aim of data security is to prevent threats from outside that perimeter.
This model persists in many organizations. Although security leaders repeat phrases like “the perimeter is dead,” the focus of their programs—and security spending—tells a different story. Let’s take a look at the elements that make up this model.
The first element of the outside-in model is perimeter security. Many organizations place most of their security resources at this layer, implementing “Next Generation Firewalls.” I put this term in quotes because the technology now belongs to a previous generation. Firewalls apply security controls only to traffic that flows through the perimeter.
Network security encompasses a number of security technologies; among the most popular and recognizable are on-premises web and email gateways. These technologies work well for office-based users doing most of their work directly on the corporate network. However, they struggle to keep up with the needs of a remote workforce.
These technologies address security at the user-device level (the endpoint). Technologies like antivirus software, Endpoint Detection and Response (EDR) platforms, and next-generation endpoint technologies such as CrowdStrike, Cylance, and Carbon Black make up this layer.
Application security includes technologies such as web application firewalls (WAFs) or tools designed to review code and look for security flaws such as static and dynamic code testing.
Data and Identity Security
Data and identity security solutions are logically and directly connected to the data assets that an organization is most trying to protect. In the traditional outside-in approach, these technologies are often an afterthought, not allotted the mindshare—or wallet share—that the perimeter-focused technologies receive.
The critical flaw in the outside-in approach is that it places the greatest emphasis on technologies furthest away from the objective—data security—rather than the technologies closest to the objective.
Recent events have accelerated remote work and digital transformation initiatives dramatically, revealing that the outside-in model is not only flawed but completely infeasible. Outside-in programs must be completely re-architected to meet the challenges of today—and tomorrow.
In the current environment, organizations that have focused on an inside-out approach are far more prepared to adapt their security programs to the changing realities around them.
Data protection now: Focus, flexibility, adaptability
The events of the last six months have accelerated trends that were already well underway. Digital transformation has been happening across companies of all sizes for more than a decade. Some organizations leaped in headfirst, adopting cloud apps and remote work models at a breakneck pace.
Other types of organizations have moved more slowly. Some companies hesitated to change systems that were working for them well. Organizations that are highly regulated are often also slow to change, taking extra time to weigh the consequences of change.
But then, the pandemic hit…
First, the perimeter completely dissolved as applications and workloads moved to the cloud and business leaders embraced these new technologies—with or without the support and buy-in of their security leadership—just to keep the business operating.
Now, workers are continuing to work remotely, and most are able to access the resources they need in the cloud. Connecting to resources through Virtual Private Networks (VPNs) is less common and a significant portion of network security products have been completely circumvented. Those that were still processing traffic a few months ago essentially went blind as the language of the internet changed to stronger encryption protocols and JSON calls rather than traditional methods of communication.
Along with the shift to work from home, many employees have been granted access to company resources, like email and applications, from non-corporate owned devices such as personal smartphones or computers. Thus, as endpoint technologies got stronger, they also became less prevalent on the devices interacting with data, since companies could deploy those controls only on devices they owned.
Application Security did not become less important; it just morphed into what we would now call cloud security, which is more relevant than ever.
Currently, cloud security, data protection, and Identity and Access Management are left standing alone, not as the only technologies that are valuable but as the only technologies that can realistically offer organizations comprehensive critical asset protection.
Building data protection for the future: Start with essential components
Data protection technologies fall into four major categories: Data Loss Prevention (DLP), Data Classification, Cloud Access Security Brokers (CASB), and Behavior Analytics.
Data Loss Prevention
DLP is the oldest and most recognized data protection technology and the concepts associated with it still play an important role. Before the advent of DLP in 2002, there was no way to distinguish which types of information were traversing network segments or being transferred. Traditional DLP is focused on endpoint agents, on-premises data repositories, and integration with web and email gateways. Modern DLP solutions also integrate with CASB or offer their own cloud data protection capabilities natively.
These tools enable organizations to categorize information and stamp that information with a metadata tag. The tags then enable the creation and enforcement of data rules and help organizations educate users about which data types they can use and how and where data use is allowed to happen. Data Classification solutions are often tightly integrated with DLP.
Cloud Access Security Brokers
CASB solutions are cloud-native technologies designed to help organizations gain visibility into data movement and control how data moves to and from sanctioned and unsanctioned cloud repositories. These solutions, along with cloud-based web and email gateways, are helping organizations deploy flexible controls that are effective regardless of where a user is located and whether that location is on or off a corporate network.
Also called User and Entity Behavior Analytics (UEBA), this process leverages machine learning, algorithms, and statistical analyses to examine users’ behavior and compare it to a baseline that defines what’s normal for them, their organization, or their job function. The analysis produces a risk score that informs responses to non-typical behaviors. In its most effective form, these risk scores can then be used to dynamically adjust security policies so they can become more restrictive in high risk situations and more relaxed when a user is going about his or her daily duties.
Align data protection programs with business objectives, not technologies
Across industries and companies, the need to protect both intellectual property and customers’ PII from constantly emerging threats—both external and internal—is paramount. Building an effective data protection program generally relies on multiple technologies, but no single technology does everything and integration is difficult.
Compounding the problem is the fact that there are few specialists in the data protection discipline to go around because many organizations have relied on perimeter-based, outside-in approaches for far too long.
Fortunately, managed data protection services offer a cost-effective way to centralize, design, and manage a comprehensive data protection program. Managed service providers like InteliSecure:
- Can provide deep, focused data protection expertise and optimal staffing
- Are intimately familiar with available data protection technologies—and understand how to make them work together to produce a defined business outcome
- Help guide organizations to an effective data protection strategy that adapts and matures as business needs change
In an environment of widespread data use and disparate systems and solutions, InteliSecure is the glue that holds together multiple technologies and tactics. We help you achieve your primary objective: protecting sensitive data.
Ready to Reduce Data Protection Complexity?
We can help. InteliSecure’s managed data protection services are purpose-built on a proven methodology to simplify and streamline data protection strategy and management. Reach out if you are:
- Struggling to protect your sensitive information
- Looking to consolidate vendors or reduce spending without diminishing the effectiveness of your program
- Seeking a more efficient way to staff your program
We are glad to share our expertise. Contact us today.