Data and Identity: Two New Security Perimeters

CISOs tend to spend the bulk of their cybersecurity technology budgets on endpoint, server, and network security controls.  Okay, this makes sense from a historical perspective but these IT assets are in a state of flux today.  Endpoints are often mobile devices rather than Windows PCs while servers are virtual or cloud-based workloads.  Meanwhile, networks are also moving to a virtual model composed of public and private network segments.

It’s clear that organizations embracing new cloud and mobile infrastructure have less control of some IT assets than they did in the past.  What does this mean for security?  One CISO I spoke with a while ago gave me a very succinct answer to this question: “As I lose control over IT infrastructure, I better make sure I have tight control over two other areas – sensitive data and user identity.”  In this security executive’s mind, data security and identity and access management (IAM) are rapidly becoming new security perimeters.

Over the last few years, I’ve seen many large enterprises start reinforce these new security perimeters.  On the identity side, ESG research indicates that 44% of enterprise organizations (i.e. more than 1,000 employees) say that their cybersecurity teams are “significantly more involved” with IAM policies, policies, and technologies than they were in the past (note: I am an ESG employee).  Infosec teams are also implementing granular access controls and increasing their analysis of user behavior for incident detection.

As for data security, leading enterprise organizations are doing things like:

• Enhancing data classification.  Rather than implement a complex data classification taxonomy however, CISOs are focused on discovering and classifying their most sensitive data – where it resides, who has access to it, etc.  And aside from production systems alone, infosec teams are also tracing this data down peripheral paths as copies of it travel to partners, developer systems, analytics applications, etc. 
• Bolstering data security controls.  These controls cover the data AND the systems that sensitive data resides on.  For example, many organizations are deploying tightly-integrated and hardened converged infrastructure (i.e. Cisco, Dell, Nutanix, Simplivity, VCE, etc.) for hosting sensitive databases and file systems.  These systems can contain specialized cryptographic processors (i.e. Oracle) and self-encrypting drives for more efficient and comprehensive encryption and instrumented with digital certificates to set up trusted relationships.  Some organizations also use micro-segmentation for specialized access controls between applications and databases.  As for the data itself, large organizations are moving toward end-to-end data encryption (i.e. encryption of all sensitive data at-rest and in-flight).  I also see greater use of data masking, tokenization, and redaction for developer and third-party systems that need access to some, but not all, sensitive data.
• Implementing enterprise-class encryption key management.  CISOs recognize the risk and operational overhead associated with tactical key management systems deployed all over the place.  These point tools are being replaced with key management architectures from vendors like IBM, Microsoft, and Vormetric.
• Continuous monitoring.  I see large organizations putting lots more “eyes and ears” on monitoring sensitive data.  This continuous monitoring includes database activity monitoring (IBM, Imperva, Oracle), DLP (Digital Guardian, Intel Security, Symantec), and filesystem monitoring tools from DataGravity, NetApp, and Varonis.  There is also greater use of machine learning algorithms/analytics that watch both users AND data including UBA technologies from vendors like Exabeam, Niara, and Splunk (Caspida).

CISOs realize that they have way too much to do and not enough time to do it.  Given this, they have to do a better job of prioritizing activities and streamlining operations.  Focusing on data security and IAM allows them to do this by decreasing the attack surface, adding controls around high-value assets, and monitoring all activities related to sensitive data.  A different approach?  Yes, but it makes sense from a strategic AND operational perspective.