Story image

Exclusive: Five steps to a data-centric security strategy

18 May 2018

Article by Digital Guardian EMEA VP and GM Jan Van Vliet

For most organisations nowadays, the network – in its traditional sense – no longer exists. With the proliferation of connected devices, data is no longer confined to four walls. IT teams’ concerns need to shift from worrying about who or what enters the network to focusing on the data itself – where it’s going, who’s accessing it and how is it being used.

Here are five steps to get you started:

1. Understand your data

First things first. Understand what you’re dealing with. Get to grips with what data needs protecting and the level of protection it needs. Step one is discovering the data (regardless of where it resides). Step two is to determine appropriate categories. Step three is to identify the sensitivity of that data – and prioritise security efforts on the most sensitive data first. And step four is to outline policies and procedures that allow employees and others who come in contact with the organisation’s data to operate within the framework of compliance.

2. Practice continuous surveillance

Advanced attacks do not occur at a single point in time. Neither should your surveillance. To protect data effectively, an organisation must consistently and continuously monitor, identify and classify data as it is created or modified. Constant data surveillance signals that you are serious about data protection. Data protection is not a stand-alone task – it is an on-going journey.

3. Get DLP right

Data loss prevention (DLP) is a critical part of comprehensive data-centric security. However, effective DLP implementation requires active participation from the organisation; it is not a “set it and forget it” platform. Effective DLP requires a contextual understanding of three factors: what actions may be taken with data, by whom and under what circumstances. As new data is created and people come and go, these policies will need to be adapted and updated. DLP is a constant process of understanding your data and how users, systems, and events interact with that data to better protect it.

 4. It’s so much more than compliance….

Regulations such as the GDPR represent efforts to ensure that organisations are taking the right steps to protect sensitive data. But the protection of sensitive data is more than simply ticking the regulatory compliance box. Organisations should shift efforts towards expanding their objectives from simply focusing on the regulation aspect to protecting data from all threats. A data-centric security solution will tick both boxes.

5. It’s all about the context

Traditional DLP solutions focus solely on the actions of the insider and lack an awareness of external threats that target data. External threat actors aim to gain the access rights of an insider. Without threat intelligence and knowledge of unusual behaviours, DLP solutions are somewhat ineffective. It is paramount that the IT team is able to see, understand and stop external threats in action. A security product that protects data, without contextual awareness, will likely lead to data loss. Effective data protection requires organisations to understand and identify the root of an attack as fast as possible to prevent it from evolving and becoming a real problem.

Moving away from a traditional network focus to protect sensitive company data is undoubtedly the way forward in the age of digital transformation. With the perimeter now a borderless entity, IT teams must focus on protecting data, no matter where it travels or resides. Through a mixture of data classification, protection and threat intelligence, organisations can ensure greater protection of data at all times. 

Kiwis know security is important, but they're not doing much about it
Only 49% of respondents use antivirus software and even fewer – just 19% -  change their passwords regularly.
Avi Networks: Using visibility to build trust
Visibility, also referred to as observability, is a core tenet of modern application architectures for basic operation, not just for security.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.