True Cybersecurity Requires a Shift to A Data-Centric Philosophy

By Brian Platz, CEO and co-founder, Fluree

A target-rich environment

While news of cyber attacks emanating from Russia’s invasion of Ukraine has been sparse, some experts say the cyber conflict has been a constant in the battle theater since the war’s onset. Others caution that Russian President Vladimir Putin could launch a severe cyber campaign at any moment. Then there are those who say what we’ve witnessed to date presages the future of cyber warfare.

Beyond the war in Ukraine, cyber-attacks worldwide dropped precipitously in February — roughly 5.1 million records breached — compared to January’s total of about 66 million records breached, according to IT Governance, a United Kingdom-headquartered company.

To illustrate the challenge over the course of a whole year, consider the 1,001 data breaches in 2020 tracked by Statista that affected 155.8 million.

The paucity of public fissures within the cybersecurity realm during the past several weeks combined with Russia’s ongoing aggression has created a certain amount of tension among those who fear the worst is still to come.

Yet, that doubt also has created the opening for a conversation that cybersecurity professionals should be having — one that could prove revolutionary in the field regarding how we think about protecting data.

Vulnerabilities remain manifold. Today’s global data architecture is one with a virtually unlimited surfeit of targets, including emails and texts due to information sharing by friends and colleagues; social media posts; and other types of communication among organizations and businesses. Literally every API represents a potential vulnerability. Akami’s 2020 State of Internet Security Report, in fact, found that 75% of all financial services industry cyber attacks targeted APIs. The result is a system of countless data silos, each with a discrete surface ripe for attack.

Perhaps counterintuitively, despite being the grand prize hackers seek, data remains unprotected. Instead, security investment continues to be concentrated in online infrastructure.

The rise of cloud-computing has coincided with the mushrooming of the numbers and types of devices connected to clouds. Such personal devices and corresponding WiFi networks represent another category of at-risk information.

Today, applications manage security — that’s backward

Security should be executed by the data itself — security would be baked into the data itself in such a way that security and data become inseparable. Protective structures around data would become unnecessary. Data-management responsibilities, in other words, shift to the data tier from the application tier.

And personnel overseeing various aspects of data — data-governance leaders, for example, should reach across the aisle and engage with data-management and data-security leaders to develop a set of data-centric policy enforcement guidelines.

To borrow a phrase from a July 2020 post on the blog of NetApp, a hybrid cloud data services company headquartered in California: “Security controls should be as close to the data as possible.”

Think about it as a matter of data quality control.

This could take many forms. One might be that members of several departments within a company would be allowed to view information in different areas of that business, but only certain department members would be permitted to update department-specific data. Another could be that everyone may view university or college course catalogs, but only a school administrator would have the power to edit the information in those catalogs.

Both instances are examples of data defending itself.

As information travels among storage systems, applications and various business contexts, its protection remains intact — no matter the type of network or application security. The data itself controls permissions and rules regarding identity and access. Those permissions and rules exist throughout the information’s lifecycle.

Benefits of data-centric security

When security exists within the data tier, rewards include the mitigation of data theft and loss, improved governance and compliance strategies and fewer surfaces vulnerable to attack combined with greater delivery velocity.

Current requirements of security logic being re-implemented throughout apps, data lakes, middleware and APIs becomes obsolete. Instead security logic is automated and scalable. That solves a problem identified in the 2021 Verizon Data Breach Report that found that increased automation boosts offensive attacks as much as it moves the needle on defense.

Compliance naturally incorporates into whatever is the overall governance strategy. And, developers no longer expend time and energy on security and governance activities. Their sole responsibility is to build better applications and APIs.

Effective data-centric security policies succeed in three areas: management, tracking and protection. The first enables organizations to define policies determining the access to, the contribution of and use of data by whom. Tracking establishes a data supply chain monitoring system as it moves through systems and users. The final piece closes the deal by imposing protocols for identity and access.

The paradox of more regulations that oversee data, including the European Union’s 2018 General Data Protection Regulation and the 2018 California Consumer Privacy Act, is that more information than ever is being shared by more people and organizations than ever. The exchange and brokering of data has become commonplace. Such a complex data supply chain screams for more robust security.

Keys to the solution are pairing identity with rules to make data-centric security as impervious as possible. Part of this approach includes a maxim that recently has gained more traction among cybersecurity experts: Verify but never trust. Verification relies on provable cryptographic identities connected to a variety of authorizations. Those rules work because they may be complex and arbitrary. Enforcement proceeds from database connections, answering questions such as, Is the user linked to the data? Or, are the user and data linked to the identical organization?

The more rapid adoption of data-centric security as a best practice, the quicker today’s arguably innumerable information vulnerabilities will disappear. And, gone will be the reports of data breaches that the populace has accepted as normal and routine.

About the Author 

Brian Platz is co-founder and CEO of Fluree PBC, a North Carolina-based public benefit corporation focused on transforming data security, ownership and access with a scalable blockchain graph database.

Platz was an entrepreneur and executive throughout the early internet days and SaaS boom, having founded the popular A-list apart web development community, along with a host of successful SaaS companies.

Previous to establishing Fluree, Brian co-founded SilkRoad Technology which grew to over 2,000 customers and 500 employees in 12 global offices. Brian can be reached online at @bplatz and at www.flur.ee.