Three predominant data-centric security methods
There are three predominant methods in the market today to prevent loss and unauthorized access to sensitive unstructured data. Each is different and the best way to compare and contrast the methods is to understand what a vendor’s solution looks to defend and the primary data-centric tools used.
METHOD : Data Flow-Centric / Location-Centric / File-Centric
DEFENDS : Data at Ingress/Egress Points / Folders, File Shares, Disk, Cloud / Files
TOOLS : Data Loss Prevention / Identity & Access Management Behavior Analytics / Persistent Encryption Identity & Access Management
Today, with increasing threats and the consequential impacts of a data breach, more organizations are adopting a file-centric method as the foundation of their data-centric architectures. It’s the only method that truly denies unauthorized access to your sensitive data no matter how it flows or the location it resides. This protect-first foundation recognizes that if data isn’t properly protected – your entire house crumbles.
A file-centric method works as a frontline defense and can be deployed in combination with other methods to achieve a fortified, cohesive data-centric security architecture. Understanding the key distinctions between the methods helps you navigate vendor engagements and build a protect-first architecture that best fits your needs.
Data Flow-Centric
These solutions defend sensitive data at corporate infrastructure ingress and egress points and use data loss prevention (DLP) tools to stop data leakage. Ingress and egress points include servers, networks, end-points, and cloud services.
The majority of businesses have deployed DLP as point solutions – known as Integrated DLP (e.g., network DLP, email-server DLP, or end-point DLP) while few have scaled to a full enterprise DLP deployment (e.g., a full solution suite across all points).
DLP solutions set up rules that specify conditions, actions and exceptions. The tools filter messages and files based on their content and prompt corrective measures. They can simply alert a user that an action may be risky or completely block the action. Examples include alerting when sharing sensitive data through email and restricting the copy of sensitive files onto a USB drive.
Many organizations have implemented email DLP since this is the most obvious ingress/egress point prone to unauthorized exchanges of sensitive data. While there are measured improvements, security and IT administrators still have challenges when implementing and operating DLP Solutions, such as
- Rules are complex and create thousands of initial false alerts.
- Concerns over distruping user workflows causes administrators to loosen controls and implement few blocking mechanisms
- Alerts burden administrators and backlogs might take weeks or months to address
Too often businesses have inappropriate expectations for DLP. It works – but many underestimate the complexities and resources needed to build, tune, and manage policies to fit your enviroment.
you should anticipate iterative refinement of rules and alert resolution.
KEY INSIGHT : Data flow-centric solutions are good at reducing risk but not a strong, protect-first approach. They don’t defend the data itself, but only how it flows in your organization. Any leakage exposes the data to unauthorized disclosure.