(this is cross-posted from Anton on Security)
As I am expanding my responsibilities to cover some exciting data security topics (like, say, our cloud data discovery DLP), I wanted to briefly discuss a few broader issues I have noticed related to modern data security.
To start, would you agree that much of the recent security excitement passed the area of data security largely by? All this exhilarating hunting, threat intel, SOAR, mobile threat detection, EDR, much of ML/”AI” for security — even anti-malware! — are really not about data. So, here, go and name one recent security innovation that is centered in data security?!
Furthermore, even some of the recent data breach lessons do not mention data security all that much. Isn’t this interesting? Data is stolen or lost, but all the attention goes to misconfigured systems, WAF bugs, firewall rule mistakes, even negligent users who got phished. Sure, in some cases we hear that “some data was encrypted”, but it is always mentioned in passing like “the attackers didn’t get the actual card numbers because encryption … but … well … they got everything else.”
As a result, it feels like some of the data security efforts and projects became excessively infused with compliance (i.e. “check-the-box” thinking). So, here is the paradox for you: as compliance is being squeezed out of security (here is a 2013 blog to prove it), data security remains (or perhaps even becomes?) a fortress where compliance holdouts cower.
To further illustrate this, I feel that there is notable decoupling of data security from threats. Now, some of this is not necessarily wrong — not every security control is deployed in response to a specific threat. For example, encrypting a database may be driven by the sensitivity of the data in the database, and hence be an “asset-centric” control, not “threat-centric” or “compliance-centric.”
However, over the years I’ve seen a fair amount of data security controls, from DLP to encryption, deployed in blatant disregard for what the actual threats do. From the notorious database column encryption where the key is in another column to badly encrypted hard drives and DLP that only catches good people making mistakes, compliance data security has spread far and wide. Along the same theme, cases where people use encryption and then decrypt the data in the very place where it is most likely to be attacked serve as an illustration of similar lack of thinking about the threats. As somebody said, “sometimes encryption is seen as pure magic that you just slap onto something to make it secure.” (source) “Checkbox encryption” can be reasonably assumed to be worse than no encryption at all due to the resulting false sense of security and hence wrong perception of acceptable risks …
However, this does not have to be the case! Here is the punchline: data security is (or at least should be) about security. Data security controls that withstand real threats and protect your data do exist! Encryption deployed in the way that protects the data and increases trust does exist! More on this in the coming weeks (here)
Comments
Interesting thoughts Anton. Securing the organization's data is (and must be) the key aspect of an organization's security policy. This coupled with business continuity & uptime ('data and systems availability') considerations should form the core of an organization's security posture.
Significant numbers of security controls today are compliance-driven and require re-assessment to maintain their alignment to the original objectives and purpose ('why' part) of the information security policy.