The next time you attend a CISO conference panel, approach the mike and ask who uses encryption, leakage prevention, identity management, and behavioral analytics to protect their data. Expect every hand to go up, because – you will be told – no enterprise security team of any consequence could ever survive the jungle of modern compliance, audit, and regulatory demands without this familiar set of data controls.
But now ask these CISOs how their data security is coordinated across the seams of their architecture. What you will hear, I am afraid, are crickets. This should not be a huge surprise, because protecting data traversing product boundaries in an enterprise has been a weakness in our industry. Just ask those retailers who had credit card data stolen as it flowed across unprotected workflow interfaces.
This challenge emerged during a review the executive team from Global Data Sentinel, a New York-based cyber security company founded in 2014 and focused on securing data. The salient aspect of the GDS approach involves umbrella solutions for data security across existing controls. “We provide an end-to-end protection approach for customer data across the entire enterprise,” explained CEO, John Galinski.
Inherent in the GDS solution is a concept known as a Data Management Operating System (DMOS), which supports the pillars of data security including encryption, identity and access, audit, and behavioral analytics. The DMOS umbrella is unique because it supports these familiar security controls by focusing specifically on theseams where data leakage or theft might naturally occur.
Architecturally, DMOS starts with GDS infrastructure in the cloud and supporting key management and related data security functions. Partial key-based distributed controls are used to ensure multi-party coordination to unlock protected data. The GDS gateway, which is positioned inside the firewall, includes open interfaces to existing or planned data security solutions in the enterprise.
DMOS makes special client reader software available for data sharing across an enterprise, but GDS also offers an agentless solution that uses native browser protections. This is important, because while many applications are perfectly suited to special client readers, some are not. I suspect this is a design issue that will evolve in the data security marketplace.
One of the example use-cases we discussed involved large government agencies using the GDS DMOS to coordinate structured and unstructured data controls into a true end-to-end solution across their organizational infrastructure. “Our use cases range from offering encryption support across different organization boundaries,” Galinski said, “to supporting data security inventory across an environment resulting from multiple acquisitions.”
This challenge of ensuring data security across the seams also helps reduce the risk of advanced persistent threats. Such advanced breaches involve the use of lateral traversal, usually guided by Active Directory, to locate and grab any valuable information. Clearly, an umbrella data protection program to overlay or complement constituent, underlying security controls will reduce the APT risk to data considerably.
A practical difficulty implementing any umbrella strategy involves convincing upper management that complementary data security controls are required in conjunction with existing security solutions. For example, if the organization just invested in encryption, then it might take some clever negotiating skills to explain why another data security product might be required. But don't let this slow you down: It’s worth the effort.
To summarize: The idea resonated with me strongly of an umbrella data protection program across the key pillars of enterprise security. Umbrellas cover seams, and it is my belief that most successful data security attacks reside in the interfaces between systems. Have a look at this interesting technology from Global Data Sentinel and see if it makes sense to cover the data security seams in your own organization.
Let me know your experience.