Three predominant data-centric security
methods
There are three predominant methods in the market today to prevent loss and unauthorized access to sensitive unstructured data. Each is different and the best way to compare and contrast the methods is to understand what a vendor’s solution looks to defend and the primary data-centric tools used.
| METHOD |  Data Flow-Centric |
 Location-Centric |
 File-Centric |
|---|---|---|---|
|
DEFENDS |
Data at Ingress/Egress Points |
Folders, File Shares, Disk, Cloud | Files |
|
TOOLS
|
Data Loss Prevention |
Identity & Access Management |
Persistent Encryption |
Today, with increasing threats and the consequential impacts of a data breach, more organizations are adopting a file-centric method as the foundation of their data-centric architectures. It’s the only method that truly denies unauthorized access to your sensitive data no matter how it flows or the location it resides. This protect-first foundation recognizes that if data isn’t properly protected – your entire house crumbles.
A file-centric method works as a frontline defense and can be deployed in combination with other methods to achieve a fortified, cohesive data-centric security architecture. Understanding the key distinctions between the methods helps you navigate vendor engagements and build a protect-first architecture that best fits your needs
Data Flow-Centric
These solutions defend sensitive data at corporate infrastructure ingress and egress points and use data loss prevention (DLP) tools to stop data leakage. Ingress and egress points include servers, networks end-points, and cloud services.
Today, the majority of businesses have deployed DLP as point solutions – known as Integrated DLP (e.g., network DLP, email-server DLP, or end-point DLP) while few have scaled to a full enterprise DLP deployment (e.g., a full solution suite across all points).
Data flow-centric characteristics:
DEFENDS:
Prevents data from leaking by intervening with the use or movement of data.
TOOLS:
Content matching that actively looks for regular expressions, defined strings, keywords, patterns or data dictionaries.
Additional tools that can be used include fingerprinting (indexing) and image recognition.
DLP solutions set up rules that specify conditions, actions and exceptions. The tools filter messages and files based on their content and prompt corrective measures. They can simply alert a user that an action may be risky or completely block the action. Examples include alerting when sharing sensitive data through email and restricting the copying of sensitive files onto a USB drive.
Many organizations have implemented email DLP since this is the most obvious ingress/egress point prone to unauthorized exchanges of sensitive data. While there are measured improvements, security and IT administrators still have challenges when implementing and operating DLP solutions, such as:
Too often businesses have inappropriate expectations for DLP. It works - but many underestimate the complexities and resources needed to build, tune, and manage policies to fit your environment. You should anticipate iterative refinement of rules and alert resolution.
KEY INSIGHT:
Data flow-centric solutions are good at reducing risk but not a strong, protect-first approach. They don’t defend the data itself, but only how it flows in your organization. Any leakage exposes the data to unauthorized disclosure.
Location-Centric
These solutions defend sensitive data storage locations. They look for gaps and inconsistencies in identity and access management (IAM) and apply user behavior analytics (UBA) to reduce the risk of unauthorized disclosure of sensitive data. Locations include folders, file-shares, disks, and cloud services.
Location-centric characteristics:
DEFENDS:
Folder, file-share or disk from unauthorized access and suspicious usage.
TOOLS:
Analysis of IAM settings and policies to find discrepancies and obsolete controls.
UBA to monitor and detect anomalous events.
Unlike DLP solutions that query and assess content repetitively, location-centric solutions pre-process, classify, and tag sensitive data. These tags flag where sensitive content is located within your IT data architecture and use:
Location-centric solutions are easier to implement than rules-based data flow-centric solutions because the tools are non-intrusive and use system log and UBA. Location-centric solutions place priority on data visibility and are superior to many approaches when it comes to privacy compliance, audit and reporting requirements.
However, drawbacks with location-centric solutions include:
While obfuscation tools are not native to these solutions, some do use data encryption while the data resides and is used within a particular location. However, when files are downloaded to endpoints, stored in personal cloud accounts, and shared outside the location - protection, visibility and control is lost.
KEY INSIGHT:
Location-centric solutions use a “least privilege” approach as the foundation for their data protection method – not a “protect-first” approach. Critical gaps arise when data is moved from its original location, and lacking persistent encryption, expose your sensitive unstructured data to a breach.
File-Centric
In contrast to the other methods, persistent encryption and IAM are tied to and travel with the file. This is independent of networks, severs, locations and devices.
File-centric characteristics:
DEFENDS:
Office documents, CAD/CAE files, PDF, plain text, other digital media file types.
TOOLS:
Encryption is persistent, centrally managed and enforced at the file level.
IAM is assigned and enforced at the file level
The method uses data classification tags to:
File-centric solutions were historically used for very specific use cases but today are experiencing a market resurgence. Modern solutions take advantage of the latest in software tools like RESTful APIs and open operating system standards to work transparently across the enterprise. Centralized policies ensure access and protection are consistently applied across all networks, file-shares, devices, end-points and cloud services.
And when it comes to denying access to sensitive content, the file-centric method is by far the best "protect-first" approach. Here's how leading analyst are advising clients:
Look for file-centric solutions that automate discovery, classification and encryption in a single instantaneous step without user intervention. This improves productivity and consistency in application of policies.
KEY INSIGHT:
File-centric solutions use a “protect-first” approach as the foundation of their data protection method. Persistent access control and encryption remains with the file throughout its life-cycle. Most privacy regulations exempt loss of encrypted files from breach reporting or alternatively, impose significantly reduced penalties.
Protect-First,
File-Centric
Approach
Organizations struggle to distinguish between data-centric solutions from different vendors as they search for the best way to safeguard their sensitive unstructured data. Data-centric security encompasses a wide range of processes and tools, many with overlapping functions and focused to different end goals. Adding to this confusion has been a flurry of gap-filling point solutions (e.g., CASB, end-point protection) launched to address today’s cloud and mobility adoption.
And despite significant investments in traditional data flow and location-centric methods, data breaches today are at all time highs.
Adopt a protect-first, file-centric method for your data security architecture. Establish this strong frontline defense to deny any unauthorized access to sensitive unstructured data, no matter how it is used, with whom it is shared, or where it is located. Then, use this foundation to integrate other data-centric methods and tools to architect a data security infrastructure that meets your organization’s governance, risk and compliance mandates.
Fasoo products span the life-cycle of sensitive unstructured data to discover, classify, protect, monitor, control, track and expire access to content wherever it travels or resides. Our unified solution enables users to securely collaborate internally and externally with sensitive information while consistently meeting corporate governance and regulatory requirements. Our file centric approach using encryption with a unique identifier allows organizations to have more visibility and control over unstructured data without interrupting workflows. We’ve engaged in this journey with over 1,500 enterprises to field data-centric solutions that proactively protect corporate brand, competitive position and meet increasing regulatory demands.
Sign up for emails on new Sensitive Unstructured Data articles
Never miss an insight. We’ll email you when new articles are published on this topic.
I read a 
Fasoo sponsored and presented at an event in Columbus, OH on November 13, 2018 entitled “Incident Detection, Response and Recovery” highlighting how to prepare and manage an incident response plan for cybersecurity and data protection. Presented and cosponsored by Catalyst Solutions, IBM and Huntington Insurance, the event brought together experts in legal, insurance, law enforcement, government, accounting and security disciplines to discuss the legal, technical and business issues of preparing for and responding to a data breach.
Following our successful event in Rochester, the second of the NYDFS 23 NYCRR 500 roadshow events at Phillips Lytle LLP in Buffalo, NY on May 17, 2017 brought together executives, insurance, legal, and security professionals in a great forum to discuss challenges for financial services organizations to meet the new cybersecurity regulations that went into effect on March 1, 2017. A full house heard some practical advice designed to assist entities regulated by the New York Division of Financial Services (NYDFS) comply with the new regulations.
