The belief that effective perimeter security is the best way to protect data is a fallacy that is being repeatedly exposed. We must recognise the need for a data-centric security model to protect data from both internal and external threats, but what does this mean for security professionals?
Protecting the environment perimeter is no longer sufficient in a new world where organisations are moving increasing numbers of applications and storage to the cloud and relying more on third parties across their integrated supply chains.
Internal IT infrastructure is now housing significantly less data, with Forbes research suggesting that currently only 37% of enterprise workloads are on-premise.
In addition, even the best perimeter security will not protect against the growing insider threat. The Verizon 2019 data breach investigations report says that 34% of all breaches in 2018 were caused by insiders and those risks are increasing as more organisations adopt bring-your-own-device (BYOD) approaches which can lead to data leaks.
All these factors mean that while perimeter security will remain important, it needs to be coupled with an AI optimised data-centric strategy that will protect against the most prevalent and hard-to-detect threats.
This kind of data-centric approach can be very effective, but it has to be applied to the entire organisation and must be supported by senior people across all the key organisational functions.
It is also important that the approach takes a long-term view, providing a multi-year strategy that takes into account the information security architecture, governance, technology and people and skills that will be needed over that period.
It is equally vital that the strategy establishes an architecture that is flexible enough to accommodate changes in people and technology capability. CISOs and cyber security managers need to shape the vision and strategy to align cyber security objectives with organisational growth objectives.
The real benefits of a data-centric security model come from the way it helps organisations to understand and analyse the increasing amount of data available and then use it to inform decision-making.
To do this effectively, they need to know how they want to use this data and have the tools to enable the outcomes they want to see. In many organisations, this means moving from a culture of need-to-know to one of a need-to-share.
Typically, data-centric approaches to cyber security have focused on data classification, encryption, data loss prevention, and reporting and compliance. Big data and artificial intelligence (AI) technology can enhance these capabilities by making it easier to pick-up on unauthorised accessing of personal information and protecting against non-compliance with the General Data Protection Regulation (GDPR) Article 25.
AI tools can be particularly effective in tackling insider threats by making sense of large amounts of data and building intelligent inferences about people and groups. They also enable real-time analysis of diverse data sources, predominantly network traffic, endpoints and user behaviour. This means they can understand patterns of user behaviour that are not obvious to the ‘human eye’ and which we may not otherwise look for.
Blending this type of AI into the data-centric approach both collects auditable data and enables human interrogation and insight to genuinely augment the story that it is telling. This means if the worst happens and an incident occurs, this rich context and chain of evidence enables a quicker investigation and response and could be used to meet the GDPR Article 33 or NIS Directive 72-hour incident notification timeframes.
As new developments happen at an increasingly fast pace, it is vital that organisations use all the tools at their disposal to increase their data security. That means security professionals and the business as a whole need to understand the nature of new threats and adapt their defences and ways of working to meet them.
Stuart Lyons is a cyber security expert at PA Consulting