There’s lots of talk these days about the potential for data-centric security and how it will revolutionize the field of information security. While it’s true that data-centric security is a good solution to some problems, it doesn’t solve all problems, and it’s almost certain to coexist with existing security technologies instead of replacing them. It does this in a way that makes it particularly useful in dealing with data breaches, so it should provide a good tool to help fight the massive losses of sensitive data that we’re seeing today.
Data-centric security focuses on protecting data rather than protecting the network where the data lives. Traditional security technologies like firewalls establish a security perimeter that’s designed to keep hackers out. Everything inside the security perimeter is considered to be more-or-less safe while everything outside the perimeter is considered suspect. Perhaps not exactly Evil, but certainly Bad.
Trends like mobile computing and tighter integration of business partners are making it more and more difficult to define exactly where a security perimeter is. This makes enforcing the traditional model more and more difficult. It’s almost impossible to enforce a strong perimeter, after all, if you can’t really say exactly where the perimeter is. Because of this, data-centric security is often proposed as an alternative.
With data-centric security, you protect the data instead of the network where the data lives. This is typically done with encryption. In the ideal data-centric model, sensitive date is encrypted and only authorized users can get the cryptographic key needed to decrypt it. To unauthorized users, data looks like a bunch of random bits, and because they can’t get the key needed to turn these random bits into useful information, the data isn’t useful to them.
If a hacker manages to penetrate a network that’s protected by data-centric security, any data that he manages to get will be useless to him. Doing key management correctly is needed to make this a reality, but let’s make a huge leap of faith and assume that that’s possible. This means that a hacker can’t get the decryption keys that he needs to make sense of the encrypted data.
This certainly sounds good, but it probably doesn’t describe a scenario that’s likely to happen, and probably doesn’t describe one that people will pay for. Although they’re far from perfect, existing technologies can create fairly strong security perimeters, after all. So why should we be interested in data-centric security at all?
The real reason that data-centric security will probably become popular is because it provides a way to extend the security perimeter to where it needs to be. Sensitive data is extremely difficult to keep control of. It’s carried outside the security perimeter on a routine basis by people who need to use it. Laptops are routinely lost or stolen. CDs containing sensitive data are lost in the mail. USB drives are also. So keeping sensitive data inside a protected perimeter is virtually impossible. It’s also probably not worth trying to do. People need access to sensitive data to do their jobs, and not letting it leave a protected network probably isn’t practical.
On the other hand, if sensitive data is encrypted, then losing control of it won’t cause any problems because data-centric security extends the security perimeter to wherever the data is. That’s assuming that key management is done correctly, but we’ve assumed that to be the case. The most important use of data-centric security probably won’t be as an additional layer of protection against hackers that manage to penetrate a protected network. Instead, it will probably be used to protect data that leaves the network for legitimate purposes.
The big problem with protecting sensitive data isn’t that hackers get in, it’s that data gets out, and data-centric security has the potential to eliminate the problems that data getting out can cause.