Data-centric security

Data-centric security is an approach to security that emphasizes the dependability of the data itself rather than the security of networks, servers, or applications. Data-centric security is evolving rapidly as enterprises increasingly rely on digital information to run their business and big data projects become mainstream.^[1] ^[2] ^[3] It involves the separation of data and digital rights management that assign encrypted files to pre-defined access control lists, ensuring access rights to critical and confidential data are aligned with documented business needs and job requirements that are attached to user identities.^[4]

Data-centric security also allows organizations to overcome the disconnect between IT security technology and the objectives of business strategy by relating security services directly to the data they implicitly protect; a relationship that is often obscured by the presentation of security as an end in itself.^[5]

Key concepts

Common processes in a data-centric security model include:^[6]

Discover: the ability to know what data is stored where including sensitive information.
Manage: the ability to define access policies that will determine if certain data is accessible, editable, or blocked from specific users, or locations.
Protect: the ability to defend against data loss or unauthorized use of data and prevent sensitive data from being sent to unauthorized users or locations.
Monitor: the constant monitoring of data usage to identify meaningful deviations from normal behavior that would point to possible malicious intent.

From a technical point of view, information (data)-centric security relies on the implementation of the following:^[7]

Information (data) that is self-describing and defending.
Policies and controls that account for business context.
Information that remains protected as it moves in and out of applications and storage systems, and changing business context.
Policies that work consistently through the different data management technologies and defensive layers implemented.

Technology

Data access controls and policies

Data access control is the selective restriction of access to data. Accessing may mean viewing, editing, or using. Defining proper access controls requires to map out the information, where it resides, how important it is, who it is important to, how sensitive the data is and then designing appropriate controls.^[8]

Encryption

Encryption is a proven data-centric technique to address the risk of data theft in smartphones, laptops, desktops and even servers, including the cloud. One limitation is that encryption is not always effective once a network intrusion has occurred and cybercriminals operate with stolen valid user credentials.^[9]

Data masking

Data Masking is the process of hiding specific data within a database table or cell to ensure that data security is maintained and that sensitive information is not exposed to unauthorized personnel. This may include masking the data from users, developers, third-party and outsourcing vendors, etc. Data masking can be achieved multiple ways: by duplicating data to eliminate the subset of the data that needs to be hidden, or by obscuring the data dynamically as users perform requests. ^[10]

Auditing

Monitoring all activity at the data layer is a key component of a data-centric security strategy. It provides visibility into the types of actions that users and tools have requested and been authorized to on specific data elements. Continuous monitoring at the data layer combined with precise access control can contribute significantly to the real-time detection of data breaches, limits the damages inflicted by a breach and can even stop the intrusion if proper controls are in place. A 2016 survey^[11] shows that most organizations still do not assess database activity continuously and lack the capability to identify database breaches in a timely fashion.

Privacy-enhancing technologies

A privacy-enhancing technology (PET) is a method of protecting data. PETs allow online users to protect the privacy of their personally identifiable information (PII) provided to and handled by services or applications. PETs use techniques to minimize possession of personal data without losing the functionality of an information system.

Cloud computing

Cloud computing is an evolving paradigm with tremendous momentum, but its unique aspects exacerbate security and privacy challenges. Heterogeneity and diversity of cloud services and environments demand fine-grained access control policies and services that should be flexible enough to capture dynamic, context, or attribute-based access requirements and data protection.^[12] Data-centric security measures can also help protect against data-leakage and life cycle management of information.^[13]

References

^ Gartner Group (2014). "Gartner Says Big Data Needs a Data-Centric Security Focus". Archived from the original on June 11, 2014.
^ SANS Institute (2015). "Data-Centric Security Needed to Protect Big Data Implementations". Archived from the original on 2021-01-17. Retrieved 2015-11-17.
^ IRI (2017). "Masking Big Data in Hadoop and Very Large Databases".
ISSN 1361-3723
.

^ IEEE (2007). "Elevating the Discussion on Security Management: The Data Centric Paradigm".

^ Wired Magazine (2014). "Information-Centric Security: Protect Your Data From the Inside-Out". Archived from the original on 2016-03-27. Retrieved 2015-11-17.

^ Mogull, Rich (2014). "The Information-Centric Security Lifecycle" (PDF).

^ Federal News Radio (2015). "NASA Glenn becoming more data-centric across many fronts".

^ Encryption solutions with multi-factor authentication are much more effective in preventing such access. MIT Technology Review (2015). "Encryption Wouldn't Have Stopped Anthem's Data Breach".

^ IRI (2017). "Dynamic Data Masking Software".

^ Dark Reading (2016). "Databases Remain Soft Underbelly Of Cybersecurity".

^ IEEE (2010). "Security and Privacy Challenges in Cloud Computing Environments" (PDF).

doi:10.2139/ssrn.3168615, retrieved 2023-12-13{{citation}}: CS1 maint: location missing publisher (link
)

v
t
e
Information security
Related security categories

Computer security

Automotive security

Cybercrime
Cybersex trafficking

Computer fraud

Cybergeddon

Cyberterrorism

Cyberwarfare

Electromagnetic warfare

Information warfare

Internet security

Mobile security

Network security

Copy protection

Digital rights management

vectorial version
Threats

Adware

Advanced persistent threat

Arbitrary code execution

Backdoors

Hardware backdoors

Code injection

Crimeware

Cross-site scripting

Cross-site leaks

DOM clobbering

History sniffing

Cryptojacking

Botnets

Data breach

Drive-by download

Browser Helper Objects

Viruses

Data scraping

Denial-of-service attack

Eavesdropping

Email fraud

Email spoofing

Exploits

Hacktivism

Insecure direct object reference

Keystroke loggers

Logic bombs

Time bombs

Fork bombs

Zip bombs

Fraudulent dialers

Malware

Payload

Phishing
Voice

Polymorphic engine

Privilege escalation

Ransomware

Rootkits

Scareware

Shellcode

Spamming

Social engineering

Spyware

Software bugs

Trojan horses

Hardware Trojans

Remote access trojans

Vulnerability

Web shells

Wiper

Worms

SQL injection

Rogue security software

Zombie

Defenses

Application security
Secure coding

Secure by default

Secure by design
Misuse case

Computer access control
Authentication
Multi-factor authentication

Authorization

Computer security software
Antivirus software

Security-focused operating system

Data-centric security

Obfuscation (software)

Data masking

Encryption

Firewall

Intrusion detection system
Host-based intrusion detection system (HIDS)

Anomaly detection

Security information and event management (SIEM)

Mobile secure gateway

Runtime application self-protection

Site isolation

Retrieved from "https://en.wikipedia.org/w/index.php?title=Data-centric_security&oldid=1195900728"

[1] Gartner Group (2014). "Gartner Says Big Data Needs a Data-Centric Security Focus". Archived from the original on June 11, 2014.

[2] SANS Institute (2015). "Data-Centric Security Needed to Protect Big Data Implementations". Archived from the original on 2021-01-17. Retrieved 2015-11-17.

[3] IRI (2017). "Masking Big Data in Hadoop and Very Large Databases".

[4] ISSN 1361-3723
.

[5] IEEE (2007). "Elevating the Discussion on Security Management: The Data Centric Paradigm".

[6] Wired Magazine (2014). "Information-Centric Security: Protect Your Data From the Inside-Out". Archived from the original on 2016-03-27. Retrieved 2015-11-17.

[7] Mogull, Rich (2014). "The Information-Centric Security Lifecycle" (PDF).

[8] Federal News Radio (2015). "NASA Glenn becoming more data-centric across many fronts".

[9] Encryption solutions with multi-factor authentication are much more effective in preventing such access. MIT Technology Review (2015). "Encryption Wouldn't Have Stopped Anthem's Data Breach".

[10] IRI (2017). "Dynamic Data Masking Software".

[11] Dark Reading (2016). "Databases Remain Soft Underbelly Of Cybersecurity".

[12] IEEE (2010). "Security and Privacy Challenges in Cloud Computing Environments" (PDF).

[13] :10.2139/ssrn.3168615, retrieved 2023-12-13{{citation}}: CS1 maint: location missing publisher (link
)

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]