I’m both excited and concerned to write about data security as one of the hot trends to monitor in 2021. Data security is a tough topic to summarize and I’d argue it may be the most misunderstood category in security right now. We’re a raw industry that has been shaken up multiple times for years. We’ve gotten micro-services, Agile software development, public cloud, GDPR, multi-cloud, work-from-home, federal regulations and SaaS applications all disrupting how we lived and worked.
It’s gotten to the point now that if you were to ask a CISO what they’re doing to protect their data, you’d get different answers; there is no consistency. Yet, if you were to ask those same folks who the leading data storage, analytics, processes and vendors were, clear market leaders would quickly emerge.
Yet the idea of protecting data is still ubiquitous with cybersecurity. Data continues to be a top-3 security topic within the board. “What are we doing to protect our customers’ and the organization’s data?” If the many, many public breaches have told us anything over the years, it’s that losing data escalates a “security incident” into a “data breach”. Lawyers get involved when we lose control of our data. How else would we figure out our liability to our suppliers and customers?
There is a reason we’re in this situation: for the longest time, security was architected with “defense in depth”. Data was the soft, shishy middle of a hardened perimeter. We protected data by first making sure our endpoints weren’t compromised, then by making sure threats weren’t moving around in our networks undetected, then by making sure our applications weren’t vulnerable to data leaks. Now that we’re all moving towards the multi-cloud, SaaS world, the castle walls we’ve built over the years no longer works. It’s impossible to monitor data flowing across clouds, microservices, internal, external applications, geographies, data centers and technologies.
Considering all of this complexity, it’s clear to me that most projects will adopt a “back to the basics” theme. Even though each company doesn’t have the same crown jewels, business models or customers, I envision most data security projects this year will align to the first two parts of NIST’s Cybersecurity Framework: Identify and Protect. The remaining three (Detect, Respond and Recover) will come later as the industry starts to train the people, mature the processes and develop the technologies to begin to reasonably protect disparate data via the 80/20 rule.
Aligned to Identify and Protect, I expect to see two camps of data security projects: Visibility & Control. One set of folks interested in visibility: How much data do I have? Where is it stored? Who has access to it? What is our current risk profile due to accessible data and our threat model? How can I protect the data? Are there any quick wins that we can do to significantly reduce risk? Perhaps we can delete sensitive data in our staging environment?
Another set of folks will be interested in control. How can we protect our data by design? Are there ways for us to segment data by groups & roles? What technology is out there that allows us to enforce policy as data is being generated, moving across the network and in production?
In the end, I envision a “data firewall” being created to merge those two paths and as an important milestone in this category. We’ve had every version of the firewall to protect the endpoint, the network, the application. These firewalls complemented technology changes from personal computing, local networks, the internet, mobile, IoT. It’s only logical we’ll see a new firewall being created due to multi-cloud and the firewall moving closer to data; a pattern we’ve seen for multiple decades now.