Regardless of your political affiliation, I think most people would agree that the 1992 campaign message of "it's the economy, stupid" helped get Bill Clinton elected by bringing into sharp relief the then-prevailing US economic recession. Well, 21 years later, data is the new currency, and a spate of recent external breaches (e.g., Tumblr, Ubisoft, and the California Breach Report) coupled with privileged insider Edward Snowden's assertion that it's easy to get access to sensitive data and do serious and long-lasting damage if you’re so inclined are bringing into relief the crying need for improved security practices. As Paul Ayers noted in his blog post a few days ago, for those of us who've been working in this industry, it's a long overdue wake-up call.
When it comes to data on the network, the prevailing "wisdom" has been that protection should start at the perimeter. Despite the myriad facts confirming that the game has changed, some very smart people continue to believe it's a good idea to spend significant human and financial capital protecting the network itself. Unfortunately, that's the wrong way to approach today's cyber security threats. Why? Because most perimeters have already been breached, and privileged insiders (or those trying to steal their credentials) are already trying to gain access to sensitive data. Snowden is hardly the only clever and curious guy out there, so deploying resources at the perimeter is about as effective as putting a ring of soap around the perimeter of your house to deal with an established ant problem in the kitchen. It may make you feel like you're doing something and it may keep a few new ants out, but it has no hope of solving your real problem.
Instead, the best way to minimize business risks is to protect from within, as close to the data as possible, and put in place very stringent and granular (root level) data access policies. A data security platform (I like to think of it as a "data firewall") that includes policy management, privileged user controls, security intelligence, encryption and integrated key management is by far the best approach to protecting your sensitive data from both internal and external threats. Moreover, it lets privileged insiders like database administrators, security analysts and cloud service providers see the meta data they need to do their jobs, while keeping the bad guys from walking away with anything of value. The ability to track and report on exactly who is attempting to access sensitive data, regardless of whether they are inside or outside of your organization, is of paramount importance.
Given the sophistication of today's cyber attackers, it may be impossible to prevent breaches from happening, but you can certainly stop them from being successful in their mission to access your valuable data. All you have to do is turn your thinking about data security inside out. Literally.
To borrow a page from that 1992 campaign book, it's the data, stupid. Not the network.