Data-centric security

Data-centric security is an approach to security that emphasizes the security of the data itself rather than the security of networks, servers, or applications. Data-centric security is evolving rapidly as enterprises increasingly rely on digital information to run their business and big data projects become mainstream.[1] [2] Data-centric security also allows organizations to overcome the disconnect between IT security technology and the objectives of business strategy by relating security services directly to the data they implicitly protect; a relationship that is often obscured by the presentation of security as an end in itself.[3]

Key Concepts

Common processes in a data-centric security model include:[4]
- Discover: the ability to inspect data storage areas at rest to detect sensitive information.
- Manage: the ability to define access policies that will determine if certain data is accessible, editable, or blocked from specific users, or locations.
- Protect: the ability to defend against data loss or unauthorized use of data and prevent sensitive data from being sent to unauthorized users or locations.
- Track: the constant monitoring of data usage to identify meaningful deviations from normal behavior that would point to possible malicious intent.

From a technical point of view, information(data)-centric security relies on the implementation of the following:[5]
- Information (data) that is self-describing and defending.
- Policies and controls that account for business context.
- Information that remains protected as it moves in and out of applications and storage systems, and changing business context.
- Policies that work consistently through the different defensive layers and technologies implemented.

Technology

Data Access Controls and Policies: Data access control is the selective restriction of access to data. Accessing may mean viewing, editing, or using. Defining proper access controls requires to map out the information, where it resides, how important it is, who it is important to, how sensitive it is and then designing appropriate controls.[6] Controls need to be able to match the most granular level of access a subject (the user) should have to a data element. Applied to relational databases, data access controls that support a data-centric security model should be able to define and control access at the table, field/column, cell and partial cell levels. In the case of complex enterprise data environments, the organization might need to enforce standards, and manage centrally the use of data protection techniques and security policies [7]

Encryption

Main article: Encryption

Encryption is a proven data-centric technique to address the risk of data theft in smartphones, laptops, desktops and even servers, including the cloud. One limitation is that encryption becomes useless once a network intrusion has occurred and cybercriminals operate with stolen valid user credentials.[8]

Data Masking

Main article: Data masking

Data Masking is the process of hiding specific data within a database table or cell to ensure that data security is maintained and that sensitive information is not exposed to unauthorized personnel. This may include masking the data from users, developers, third-party and outsourcing vendors, etc. Data masking can be achieved multiple ways: by duplicating data to eliminate the subset of the data that needs to be hidden or by obscuring the data dynamically as users perform requests.

Data-centric security and cloud computing

Cloud computing is an evolving paradigm with tremendous momentum, but its unique aspects exacerbate security and privacy challenges. Heterogeneity and diversity of cloud services and environments demand fine-grained access control policies and services that should be flexible enough to capture dynamic, context, or attribute- or credential-based access requirements and data protection.[9]

See also

References

This article is issued from Wikipedia - version of the 11/17/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.