Data-driven needs, data-centric protection

A data-centric approach to security that focuses on securing the data itself rather than just the environment

Data-driven needs, data-centric protection

Image:
Data-driven needs, data-centric protection

The recent surge of data-driven, insight-producing innovations such as generative AI, computer vision, and large-scale natural language processing, have brought the value of data to the forefront.

The recent surge of data-driven, insight-producing innovations such as generative AI, computer vision and large-scale natural language processing have brought the value of data to the forefront.

Our digital-first world is data hungry, driving the need to leverage data across global silos at a scale and speed that we've never seen before. However, the rules for responsibly doing so, especially given the heterogeneous regulatory landscape, are unclear at best and frequently left undefined. Such uncertainty often puts the burden of protection on the party in possession of the data. And for businesses, taking ownership of that data — even temporarily — can significantly raise the organisation's risk profile in ways that can have very real and very expensive consequences. In order to minimise this risk and achieve the maximum flexibility needed to grow, adapt, and thrive in a shifting market, security strategies need to be designed around protecting the data itself.

In a data-centric security approach, protection strategies are focused on data at a granular level. Instead of working to build a stronger perimeter or more secure infrastructure, data-centric security is designed to protect data at all times. In many ways, data-centric security is the core of the zero trust philosophy which assumes that systems and networks are inherently compromised. As part of its updated zero trust guidance, the US Cybersecurity and Infrastructure Security Agency (CISA) said that "zero trust presents a shift from a location-centric model to an identity, context and data-centric approach with fine-grained security controls between users, systems, applications, data and assets that change over time."

When you can't trust your trusted networks or infrastructure, you need to focus on ensuring that the data assets that they contain are identified, categorised and protected at levels appropriate for their sensitivity and/or value.

Three states of data

At a foundational level, data exists in one of three states: at rest, in transit or in use.

Data at Rest is data stored in any digital form. It may reside in databases, data lakes, cloud storage, on the hard drive or in other locations. It is frequently protected by a number of common, industry-standard technologies such as access controls and encryption.

Data in Transit is the label given to data on the move. Often protected using transport encryption with industry standard techniques and protocols, the data assets can move through a public network, private network and/or untrusted space and remain protected.

Finally, Data in Use refers to data when it's being used or processed, the time during which a user extracts insights from data to yield value.

Methods for securing Data in Use include Privacy Enhancing Technologies (PETs), a family of technologies that includes homomorphic encryption, secure multiparty compute and trusted execution environments. PETs are unique because they protect the usage of data, enabling value to be extracted through operations such as search, analytics or machine learning without increasing risk or exposing sensitive data assets.

The CISA guidance referenced earlier specifically draws attention to these three states and highlights the importance of protecting each. When describing data encryption functions pertaining to zero trust, as well as the considerations for visibility and analytics, automation and orchestration, and governance within the data context, CISA says organisations that execute at an optimal level protect data in all three states: at rest, in transit and in use.

Data privacy

In addition to creating the foundation for ensuring the protection of data assets in the traditional sense, data-centric security enables organisations to better plan and account for the increasingly critical activity related to data privacy. In its 2023 From Privacy to Partnership report, The Royal Society made this distinction between the two pursuits: "Data security relates to protecting data as an asset, whereas data privacy is more concerned with protecting people: ensuring the rights of data subjects follow their data."

Organisationally, this is often further distinguished by the party in charge of overseeing it: CISOs traditionally lead all things security, while data privacy may be driven by a CIO or a Data Privacy Officer. For both objectives, ensuring data remains protected throughout its lifecycle — at rest, in transit and in use — will help ensure the basic thresholds of privacy and security are achieved.

The volume of data is consistently increasing, and the goalposts relating to protecting this value-delivering asset are constantly moving.

Lawmakers, regulators and business owners strive to keep up with the regulatory, policy and technological landscapes that push the bounds of any standard almost as soon as it is developed and adopted. As a result, data protection strategies will only be sustainable if they are designed with flexibility and adaptability in mind.

A data-centric approach to security that focuses on securing the data itself rather than just the networks, servers and applications it resides on is one of the most effective ways to address variability driven by rising cyber threats and regulatory pressures while deriving maximum value.

Ellison Anne Williams is CEO and founder of Enveil