By E.K. Koh, VP of Solutions at NextLabs
It’s not your perimeter. It’s not your applications. In an age where there is no perimeter, where data moves from application to application, from servers to desktops to tablets and smart phones that the company does not even own, managing security at the perimeter or application is essential, but not sufficient. What is your value at risk? It is your DATA.
Data is Valuable
In a survey by Forrester, companies noted that corporate secrets (or intellectual property) comprise 2/3 of their information portfolio, with 1/3 being customer custodial data. The figure below shows the relative value of different types of data rated on a million dollar scale:
With so much value at risk, how has IT been protecting data?
Traditional Ways of Managing Data Security
Traditionally, companies have used Permissions, Access Control Lists (ACLs) and Roles to manage data security. They are applied to containers (e.g., folders), applications, and services. Once data leaves a container, the data is unprotected.
In terms of implementation and maintenance, traditional controls require IT to manually translate information sharing policies into system-specific controls, then duplicate work across all applications and systems where sensitive data moves. Because controls are static, administrators must also modify and re-assign them as risk, workflow, or personnel change.
In a large enterprise, IT process quickly becomes inefficient and error-prone. In the extended enterprise, where data sharing is broader than ever and organizations no longer reliably own infrastructure, this approach is often impossible.
4 Ways IT must change to Protect Data
In the new extended enterprise, companies must leverage new methods to protect data as they move from application to application, from servers to desktops to mobile devices. Leading analysts such as Gartner, Kuppinger Cole and standards bodies such as NIST, have recommended the use of Attribute-based Access Control (ABAC).
ABAC eliminates the manual steps required to turn business rules into security controls. Unlike traditional controls, which require permissions to be defined statically before an access attempt occurs, ABAC rules are evaluated dynamically with attributes presented at run-time. Enforcement adapts to risk level automatically. For example, if the classification of a document changes, or a user’s team membership changes, access rights are automatically adjusted. No need to request new roles or update permissions. (CLICK HERE to learn more about ABAC )
To successfully leverage ABAC for data security, IT must:
- Define business policies, not permissions.
Business policies should be transformed into digital policies that can be automatically enforced across key enterprise applications. With this transformation, IT no longer acts as the “middle-man” between compliance officers and data owners and the physical systems where data is stored. Lone of Business Owners can now manage their own information security policies.
- Manage attributes, not user groups.
In an ABAC system, information security policies automatically respond to changes in attribute values. Today, these attributes are often stored in disparate locations: Active Directory or LDAP, file properties and metadata, roles and enterprise applications. IT needs to shift from administering security groups, to implementing automated processes that enable attribute owners to maintain this critical information. In this model, some attribute stores may be “owned” by IT (such as Active Directory), but many may be owned by other teams or even managed outside the enterprise.
- Control access to information, rather than securing containers.
Container-based controls never apply consistently to data across systems. Information access must be the explicit target. With ABAC, IT is no longer limited to container-based controls as the only means to protect data, but should incorporate more data-centric controls that target metadata, keywords, properties, and so on. Because evaluation is based on attributes of the data, controls apply consistently as data moves between containers and across systems.
- Make it easy to leverage your end users.
Just as IT should leverage Line of Business Owners to manage attributes and policies, IT should leverage Data Owners for creating and applying data attributes, which makes sense, since they are typically most familiar with data and information sharing requirements. Once data is classified, data attributes can now drive automated controls (such as encryption, storage and access controls, and so on).
As companies transform from traditional monolithic enterprises to the extended enterprise, so must their IT security practices. Traditional IT controls are no longer effective nor sustainable for data security. IT must embrace and transform to keep up with the age of data that respects no boundaries.