Paradigm Shift in Data Security:Year 0000 of Data-Centric Security.

Data security is at the top of many companies' agendas. At the same time, traditional security solutions are no match for today's attacks. In a hyper-connected world where you can be attacked at any time, sensitive data must be protected from misuse: «at rest», «in motion», and «in use» alike. Data-centric security is – as of today – the only viable approach to protecting data throughout its lifecycle. The future of data security has already begun - and you can benefit from it now, even with smaller projects.

Data immunity against rising threats, data protection laws and fines

We are at a turning point[1] in the way data needs to be protected: The risk of becoming a victim of cyberattacks is increasing visibly. Almost daily, there are reports of digital attacks or data thefts that are becoming more and more sophisticated. At the same time, companies are being fined more often for non-compliance with data protection laws and regulations - with ever-increasing fines. Although reports are on the rise, data theft is not recognised or is discovered late. The consequences are devastating and can even endanger human lives, as the example of the ICRC shows. With the latest scam of cybercriminals, companies and their customers are blackmailed several times per attack using the so-called «triple extortion». Corporate data is often stored in data centres that are no longer controlled by the data owners – and are therefore more vulnerable to data theft per se.

The relieving news: there is a way out. It is by changing our way of thinking and understanding that the sensitive data of companies must be pseudonymised and thus protected in itself. We call this «data-centric protection». Since encryption algorithms are used for pseudonymisation, we also talk about «data-centric encryption». If the data is «data-centric encrypted», the data is immune to data theft. The reason being, pseudonymised data cannot be misused.

Data Security: Upgrade culture at the end of its rope

A few years ago, it was enough to use the next generation of an existing security tool that one was already somewhat familiar with. However, this way of thinking is no longer valid. For some time now, the mutual upgrading of attack and defence or the evolution of security tools has no longer been sufficient to sustainably reduce risks. Before a new system is even up and running, it has already become obsolete again and is no match for the attackers.

With data-centric protection through pseudonymisation, this arms race can be escaped. But you can't just buy this protection like any other tool. It requires a rethink in the way we deal with data. Until now, security was mostly implemented in the IT infrastructure. With data-centric protection, the «doing» moves to the applications developers. Until this transformation is accomplished, it will be almost impossible to comply with strict data protection laws and avoid vulnerability to hackers.

Paradigm Shift in Data Security: The Magnitude

As Dave McComb writes, the paradigm shift to a data-centric view is in many ways comparable to the second industrial revolution, when independent small machines powered by electric motors replaced centralised manufacturing plants driven by steam and crankshafts.

It was already obvious by 1880 that new electric motors would transform the industrial revolution, but this transition took more than 40 years. There are striking parallels between the transition from steam power to electricity and the transition from conventional methods to data-centric protection[2]. The reason was not that the technology for the transition from steam to electricity was lacking, any more than it is a lack of technology that prevents the transition from conventional to data-centric security. What restrained the transition from steam to electricity were the settled experts who stuck to the status quo. This is just as true for data-centric protection today.

Entrepreneurs planning new infrastructures or factories in the 1880s were advised by professionals who were well acquainted with the previous setup. These professionals had no latitude or incentive to change the way things were done from the ground up. As a result, the transition from steam to electricity took over 40 years. This is where history differs with the present: the accelerated world of 2022 will make the paradigm shift faster.

More pressure for this change came from younger companies displacing established competitors by being more agile and efficient.

As with the power technology of the past, data protection is usually not the main business of companies today, but it is becoming increasingly important - fuelled by higher penalties for non-compliance with data protection and greater risk of hacker attacks, which can be existential. Companies that have already implemented data-centric security are safe from data theft and are also more agile and efficient - and benefit accordingly from their head start. Data and applications can be migrated as they are to a new technology, provisioned differently or operated by external partners in a very short time.

How Swiss leaders use data-centric security: To the references of Swisscom and SIX Group.

Data security: A C-level concern

Since 2016, Prewen has been assisting companies in conducting the paradigm shift to data-centric security. At first, we focused on classic data projects such as data warehouses with particularly sensitive data collections. In the course of these projects, it became clear that it is not enough to implement data-centric security in the IT departments for specific projects. In order to benefit from the technology in its entirely, it is a matter of making management realise that a shift in thinking is necessary. Only then corporate data can be properly protected in the future, regardless of the application, database or provisioning applied.

Are you part of the leadership of a company? Excellent, we will gladly show you what leaders need to keep in mind when it comes to data-centric protection. Contact now.

You are not a manager? No problem, there are also other ways in which you can contribute to the change in thinking - even though a paradigm shift must be supported by the entire company.

Where to begin? Compliance and ICT as innovation drivers

Technological changes, like data-centric protection, can hardly be introduced without management approval. However, there are significant exceptions to this. The two areas most affected by today's changes in data security offer a possible start: compliance and ICT.

1. Data privacy and compliance: It is not uncommon to see budgets in the seven-digit range, especially for companies in industries that are subject to strong regulatory requirements. Even budgets for sub-projects due to changes in data protection guidelines or precedents are suitable for introducing data-centric security. This is because data-centric protection facilitates many aspects of compliance, from legal requirements for data protection to the annual audit. In addition, reserves for fines can be reduced.

2. Smaller ICT projects: Innovative initiatives for transformation often come from individual technical experts. The project leaders for cloud, data warehouse and data science platforms or those responsible for IT solutions such as CRM have the potential to bring innovations such as data-centric security into the company as a feasibility study or proof of concept. Such a specific approach can also convince management and may serve as a first step towards initiating broader transformations.

As the McComb example already demonstrates, existing, large structures are slow to change, especially when it comes to a paradigm shift like data-centric security. But smaller, specific projects may serve as spearheads for the new approaches. They are cheaper because of their project volume and allow experimentation with new approaches. Parts of data-centric protection can therefore be implemented in the existing infrastructure and used to start the transition to data-centric security.

A case study from experience: For one of our clients, it was the SAP team that was the spearhead. The SAP team wanted to off-shore the operation. The regulatory requirement was that people abroad could not see the data. We encrypted the data so that it could not be seen abroad. Since this project had no need for maximum availability and there were few interfaces to other applications, the initial project could be implemented relatively inexpensively.

Data immunity for the future: step-by-step towards data-centric protection

The biggest sticking point to kick-start innovation is usually funding. It is often easier to get funding for existing technology - and this can be used to introduce data-centric security.

1. Cloud: Almost all companies already have data and applications in the cloud or will do so in the near future. Even if you only perform a so-called «lift and shift» - i.e. move the data unchanged from local data storage to the cloud - it is imperative to strengthen security. The data centres of cloud providers are no longer under the control of the data owner and the data is mostly processed by US or Chinese hyperscalers. There is a risk that the data is not safe from access by state institutions. (Cf. the article «Data protection law and access by US authorities»).

2. Machine Learning: Almost every large organisation is now running machine learning projects. Many have discovered that artificial intelligence and machine learning bring enormous business benefits. But dangers are also on the rise: Merging data from different sources may create "explosive" data pools from which highly sensitive conclusions can be drawn. In the past, such projects were often aborted because of their sensitive content. This does not have to be the case: Data-centric security enables the realisation of such projects, despite and with sensitive substance.

3. Off-/Near-Shoring: With the aim of saving operating costs, companies shift the operation of their applications and systems to nearby or distant foreign countries. Depending on the situation, either people from abroad access the local systems or the systems and applications are also moved abroad. In both cases, persons with elevated privileges (very often administrative privileges) access business-critical applications, systems and databases. Sensitive content, however, must remain hidden or encrypted from these individuals. With data-centric security, access to this content is prevented, even for administrators with the most elevated access privileges.

Data-centric security had come to stay.

Today's trend in dealing with data can be seen in different aspects. In marketing, customer and user data is used to individualise the customer journey. The hybrid working world demands access to company data from anywhere in the world. Industries with highly sensitive data, such as insurance, healthcare and finance, are stepping up their efforts to protect data from theft. And with lean management, every production and supply chain is global and data-driven now. In short, more data is being collected and stored than ever before. And more data is being stolen and misused than ever before. To master these challenges securely, a fundamental shift in thinking, a paradigm shift to data-centric protection, is needed.

Learn more about data-centric security or Prewen's data security offer.

—

Footnotes:

[1] «We are at a turning point» with these words Dave McComb begins his book «The Data-Centric Revolution: Restoring Sanity to Enterprise Information Systems». And he is right. In this article, I follow McComb's remarks and show how this «turning point» also designates a fundamental paradigm shift for data security.

[2] Cf. Brian Arthur, The Nature of Technology: What It Is and How It Evolves