Current Landscape and Foundational Concepts of Data Security
Current Landscape and Foundational Concepts of Data SecurityData is moving faster and further than ever, especially with hybrid work and cloud tools becoming the norm. In this three-part interview, we talk with Ron Arden, EVP, CTO, and COO of Fasoo, about what organizations need to know to keep sensitive information secure.
In Part 1, Ron shares his take on today’s biggest data security challenges, why many companies still approach it the wrong way, and how Fasoo’s data-centric model offers a different path, especially when data is shared outside the organization.
We started by asking Ron for his perspective on how the data security landscape is changing and what that means for organizations going forward:
Q: Given your extensive experience at Fasoo, how do you see the current landscape of data security evolving with the increasing prevalence of hybrid work models and cloud adoption?
A: The biggest security challenge organizations face is the explosion of unmanaged data, especially unstructured data. On average, each of us creates or interacts with about 50 documents every day. For an organization of 100 people, that’s 5000 documents. For larger ones, you can do the math. After a few months, the numbers get big, especially since people store documents everywhere – in the cloud, on laptops, phones, and numerous other repositories. Most organizations don’t know what they have and where it is. Is the data sensitive? Is it subject to regulations? What if it gets into the wrong hands? With people working from everywhere, this becomes a major problem.
As businesses strive to lower operational costs and reduce IT complexity, they are moving workloads to the cloud and allowing users to work from anywhere. With the disappearance of a traditional IT and security perimeter, it is difficult to control access to sensitive data. Most of these platforms are not under your control, and you rely on the provider for security. It’s easy to add in authentication and authorization layers into them, but ultimately, you are responsible for your data, and if the provider has a breach, you are liable. Adding in AI makes it more complex as organizations want to control what their users upload into and download from public and private LLMS.
Mitigating risk is a main goal of CISOs, so understanding what you should control, where it is, and who has access to it becomes a major undertaking.
Q: In your opinion, what is the single biggest misconception organizations have about data security when it comes to collaborating with external partners or sharing information outside their organizational perimeter?
A: The single biggest misconception is that your partner has the same data security controls as you, and once it leaves your control, it will remain secure. As I said earlier, you are ultimately responsible for your data. If you share sensitive data with a partner, you are relying on them to keep it secure. Unless you conduct a thorough audit of their security posture, you are relying on legal agreements to safeguard your IP and regulated data. You may have legal recourse if there is a breach, but that doesn’t stop the data from leaking.
Many organizations use secure portals or file-sharing platforms to safely collaborate with partners. These tools are great at controlling access to data, but once the data leaves the secure platform, you can share it with anyone. If you assume the vendor of your platform builds the security in from the start, you may have gaps. They might give you tools, but it’s up to you to implement them. For convenience, someone may overshare and grant access to unintended people, compromising security. If you rely on email to share sensitive documents, there is little security beyond sending in a secure manner. Once out of your control, the data can and does go everywhere.
Q: Fasoo emphasizes data-centric security. Can you explain what that means and how it differs from traditional perimeter-based security models?
A: Data-centric security means you are protecting the data itself, not its location. Traditional security models protect the perimeter – the device, the folder, or the repository. They implement authentication and authorization controls to limit access. This means you give a user access to the location of the data, not the data. Once I can open the folder or device, I can do whatever I please with the data. I can copy and paste it to a chat application, email, or put it into a document on my desktop. Protecting the perimeter is not a good strategy for safeguarding your data.
Contrast this with a data-centric approach that encrypts sensitive documents and assigns granular access controls regardless of location. The user must authenticate each time opening a document. Granular permissions, such as View, Edit, and Print, are checked and granted or denied at the time the user opens the document. The controls are dynamic, so an organization can grant or remove access at any time if business conditions change.
Q: Fasoo specializes in data-centric security. Can you elaborate on how this approach fundamentally changes the paradigm of protecting data, especially when it leaves the direct control of the organization?
A: It removes the burden of protecting a location and concentrating on the data, which is what matters. Relying on perimeter-based controls means you must manage every location, including third-party environments. That is not feasible when collaborating.
Using a secure portal is great if you can guarantee the data stays there. We all know it doesn’t. When users download sensitive documents or receive them through other channels, they must be encrypted and controlled. Their access must be governed by a central policy that the data owner controls. This allows you to control your sensitive data regardless of who accesses it and where they access it.
I equate it to having your valuables in a drawer in a hotel room. If someone gets into the hotel and your room, they can take your valuables. Locking the hotel and the room is helpful, but ultimately doesn’t protect them. If you put them into a safe that only you can open, your valuables are protected.
Conclusion
As Ron makes clear, the way organizations think about data security must evolve, especially as the lines between internal and external environments continue to blur. Perimeter-based models can no longer keep up with the pace, scale, and complexity of modern collaboration. A data-centric approach, as Fasoo advocates, ensures that sensitive information remains protected no matter where it goes or who has it.
But securing data inside your organization is just the beginning.
Stay tuned for Part 2: Securing Data Beyond the Organization, where Ron dives deeper into the challenges of external collaboration, the risks that come with it, and how to maintain control without getting in the way of productivity.