How to create a data-centric security infrastructure

With today’s multiplatform environment, your sensitive information may no longer completely be under your control. It could be on any device, shared in unauthorized locations, or accessed by the right people the wrong way.

data-centric security infrastructure
Thinkstock

Data everywhere

Firewalls, APT protection, antivirus, etc., are all necessary to protect an organization’s integrity. But when you get down to the nitty gritty, it’s about the data – the intellectual property, the customer PII, the M&A info, your customer data and all the information that keeps the business running. With today’s multiplatform environment, your sensitive information may no longer completely be under your control. It could be on any device, shared in unauthorized locations, or accessed by the right people the wrong way. You need to manage every facet of what is being accessed, by whom, when, where, and how.

Yoran Sirkis, CEO of Covertix, provides these building blocks you need to set up a data-centric security infrastructure.

data-centric security infrastructure
Thinkstock

Data Discovery

You cannot protect what you cannot find. A comprehensive data discovery system allows you to find your data, no matter its location – cloud, mobile, local network etc. Once you know where your data is, you have a handle on protecting it.

data-centric security infrastructure
Thinkstock

Visibility

Now you know where your data is – at a single point in time. Data visibility means that you can get a complete picture of data flow over time. For example, a patient record originates with the primary care doctor, travels through the insurance company, and later ends up within the network of the specialist to whom the primary care physician referred and the insurance company approved.

data-centric security infrastructure
Thinkstock

Classification

You know where your data is. But what kind of data is it? You need to decide what data to protect and how, manually or automatically, based on specific rules. An efficient classification system can recognize data context – such as credit card numbers, PII, PHI - and automatically protect them. It should also be able to recognized pre-categorized files and protect them as well, such as any information originating from the office of the CFO.

data-centric security infrastructure
Thinkstock

Access Management

Data access should be based on roles with specific permissions and privileges. The same rules need to apply whether the person is accessing the data inside or outside the network – and if the wrong person is accessing it in the right places, the data should still be inaccessible. You should define access controls mechanism on the file/data/information itself and not on the gateway or organization entry points to define who can and can’t access information after it has left the organization.

data-centric security infrastructure
Thinkstock

Control

You need to manage the data from the 30,000-foot level, not file-by-file. A good control system will let you manage who can access your data, when, where, and how, automatically, based on preset rules. Even better, the system will give employees direct control, determining the specific classification levels and allowed actions when working with or creating new files.

data-centric security infrastructure
Thinkstock

Governance & Compliance

Now that you’ve been able to track who’s doing what, when, where, and how to your information, you need to be able to show it. A good governance system will let you track your data, ensuring you know exactly where your data’s been and who’s touched it. You’ll also be able to demonstrate compliance with any regulatory requirements because you’ll be able to pull very clear reports about the who, what, when, where, and how of file access.

data-centric security infrastructure
Thinkstock

Encryption

Encryption countermeasures should be applied to protect against non-legitimate users trying to access your data after your data is no longer directly under your control. You need to be able to activate the encryption based on specific conditions, ensuring the whole process is transparent to the end user, without damaging the user experience.