Traditional security has always been metaphorically tied to the medieval castle building of old: building thicker walls and drawbridges, creating multiple perimeters, raising larger armies, you know – the whole nine yards. This paradigm extends into the modern world, which maintains its fascination with sophisticated perimeters. For exhibit A, witness the recent Mission: Impossible Rogue Nation Hollywood blockbuster where sophisticated perimeter security was the primary obstacle to overcome.
But imagine changing that mindset from traditional perimeter-based security to data-centric. A data-centric approach, cast against the metaphorical medieval art of castle building, would result in thieves penetrating outer defenses, only to find the pot of gold actually filled with worthless tokens or paper notes.
In Mission: Impossible, the actual game changer was based on a data-centric approach; the critical data was encrypted and therefore worthless. The perimeter security was extremely sophisticated and most of the movie was dedicated to planning and penetrating established defenses. Yet once penetrated, because of a last line, data-centric approach (which was actually first line), all bets were off and the antagonist was ultimately foiled in his attempt at world domination.
Throughout the movie, traditional approaches didn’t stop Ethan Hunt (the protagonist, manipulated by the antagonist into doing his dirty work) and they won’t stop Ethan Hunt-like hackers from infiltrating retailers’ networks.
As the world progresses from a mere “information age” into an age of “big data,” it’s simple – the volume, granularity and sensitivity of individual data is growing exponentially. With this growth comes severe risks and consequences of losing valuable data.
Witness the recent slew of retailers blasted in the news for their inability to secure customer information. When news first breaks of a data breach, it’s easy to think “well I don’t shop at xyz store, so I’m not affected.” But as the number of breaches continues to increase, not many individuals can claim they no longer shop at SuperValu, Target, P.F. Chang’s, Home Depot, Neiman Marcus and Michaels…just to name a few. And the growing inner relationship of common vendors and suppliers begins to matrix everyone in the retail space together.
At one time, only protecting financial payloads was considered important. But with the advent of big data and data analytics, all data collected has value – it’s simply a matter of marrying that data to the right economy. Simply put, data is the new gold – with cybercriminals vying for access through the latest vulnerability. In fact, the more data your company has, the bigger the target it presents to criminals with tools to steal and ultimately sell or otherwise leverage it. And retailers have lots of data; not just financial and transactional data, but important data on suppliers and vendors not to mention massive amounts of privacy data now being captured on consumer preferences and spending habits.
Successful retailers understand the strategic advantage of what is called “lifetime value” in terms of the consumer. And nothing destroys lifetime value more quickly than lack of consumer confidence. By their very nature, retail enterprises thrive so much on branding that they’ve spent innumerable resources on building and tying their brand directly to consumer confidence. Building and extending the brand are at the heart of a retailer’s mission. So any kind of known breach costs a retailer more than perhaps any other type of business.
Aside from a brute force outside attack, insider threats at retailers remains very real. Retailers conduct their business through a complex network of internal vendors, trading partners and suppliers. Recently while consulting for a major US retailer, I noticed a number of information stores readily available to internal users at every level – necessary for day-to-day operations – that essentially could provide a laundry list of potential attack vectors back into the company. The key to protecting these potential attacks and reducing insider threats is to ensure that at the “end of the rainbow” there is no pot of gold. This goal can be realized by having a data-centric approach and ensuring only those critical to the function and with the business need have access to that data.
In terms of the tactical approach, it's generally accepted and understood that no single discipline within IT Security offers a proverbial silver bullet. Experts in the field have always advocated a multi-layered, risk-based approach; and I would certainly advocate nothing less.
Yet certain security disciplines can sometimes emerge as de facto approaches or perceived as “gold standards” or “best practices” to protect enterprise interests. For example, firewalls have long been accepted as the gold standard for network and protection of data-in-motion. Yet in recent years, enterprises have come to realize firewalls alone are insufficient. Entire security companies have recently been formed based on next-generation approaches to securing data-in-motion through log and intrusion analytics, real-time alerting, instant analysis, layer 7 filtering and next generation firewalls (NGFW). Perimeter security evolved because it needed to evolve.
The same should be true for access to data, but maturation in securing the enterprise is impeded by both mindset and approach – continuing to adopt insufficient gold standards as a de facto silver bullet.
One classic approach (that ironically still remains immature in many organizations) is gathering and governing identities and the access those identities have to applications. And while this exercise is absolutely necessary and remains essential as a security cornerstone, there are numerous forces within organizations that play against identity and access management success.
One of those forces is the rate at which applications and application data proliferate within the enterprise. Identity and access management remains a rigorous exercise due to the acceleration of data within an organization and adequately governing access to that data, either directly or through applications. Typically, data creation runs out ahead of governance around that data – the data proliferates too quickly, applications are typically rolled out without adequate governance and protection, and both struggle to keep up with movement of people within the organization who have access to those applications and the underlying data.
A data-centric approach would do much to resolve those difficulties. While organizations should continue to gather and govern access, the data itself should be guarded, protected and secured as soon as it is born. If access to data, based on out-of-the-box controls, is too accessible based on lack of governance and default protections, then that data should be protected based on a default policy of denial. Regardless of where data resides, whether on-premise or in the cloud, reaching across traditional perimeters and boundaries creates a dynamic security solution that incorporates centralized logging and audits based on SIEM, encryption with centralized key management as the default safeguard.
When data is born into an organization in this way, using a least privileged, already protected approach, with access based on “business need to know,” then the security posture is raised significantly and some pressure is alleviated from the frantic pace to build controls around data solely based on identity and access management.
In summary, the time has come for retailers to embrace a data-centric mindset and thereby change the approach to how data is protected. Traditional, de facto gold standards are proving insufficient. When we start protecting data at the source, as the source, we will formulate a new approach that renders data based on open, privileged or breached access value-less except in the intended context by the intended actors.
Existing security mindsets and approaches must adjust to a changing world where perimeter controls continue to mature but the data itself is made impermeable to outside hackers and inside threats, including the blinding of privileged users. Let’s break the mold and start protecting retail customers by taking a data-centric approach to security.