The manner in which enterprises conduct business has changed drastically over the past two decades, but approaches to security have not. During the advent of e-commerce, businesses focused on network firewalls, system hardening and network intrusion detection systems to protect web servers from compromises or denial of service attacks. As businesses made this environment more secure, cyber attackers changed tactics.
Today, despite the near total dissolution of the network perimeter and the evolution of threats, security teams are still using a perimeter security mindset – they’ve just changed the definition of the perimeter. The effort to combat malware is an example of a legacy perimeter security mindset. The weak link in security has always been the users, so knowing that, attackers use phishing to trick users into installing malware on their devices. This threat has caused security teams to focus on securing user devices in much the same way that 20 years ago they focused on securing web servers – perimeter security, hardening, and network monitoring.
This approach to securing devices and the network connections they use is necessary but not sufficient. After all, network attacks haven’t gone away and the Equifax data breach is a recent example of the continued failure of perimeter security despite decades of trying to make it more effective.
The security mindset needs to evolve to focus more on the outcome of attacks, not just the initial symptom. Ultimately, attackers are trying to steal data. Any and all data that may be useful. Yes, the perimeter security approach is still something to use but it has to be viewed as what it is: baseline security due diligence to eliminate unmotivated attackers. For the remaining attackers, the ones that we read about daily, businesses need to focus on data-centric security.
The user will click that link. The server will not get that critical security fix. The firewall will not get that policy update. Expect the various forms of perimeter security to fail and make sure there are data-centric controls that make it much harder for an attacker to steal data.
At a high level, a data-centric approach requires that businesses continually discover and classify sensitive and compliance regulated information, protect that data with features such as encryption, tokenization, or masking, and control the information to ensure only authorized users have access to it…no matter where the data travels or where it is stored.
Everyone knows that the network perimeter has gone away but we haven’t truly evolved our thinking. Endpoint security is just perimeter security applied to end user devices. Data is the new endpoint. Data is the new perimeter. Discover, protect and control data with a data-centric approach to prevent data loss when the other controls fail.
September 25, 2017