Significant data breach related news is continuously making headlines, and organisations involved in such breaches have suffered irreplaceable loss of intellectual property, losing customer and business partner trust, incurring considerable fines, decreasing revenue or profit or dropping in share prices. In today’s rapidly changing IT environment, an information security model that emerged in the early days of the Internet does not work as well as it used to.
Another reason for a new framework is to confront increasing insider threats. Traditionally, insider threat management was always on the top of the priority list for many organisations’ general security practices, but it has been often ignored in information security, relying on security guidelines and regulations without proper technical measures. In addition to cloud, mobile and insider threats, advanced persistent threat (APT) has become the latest concern of CISOs. As cyber-attacks are constantly diversifying and evolving, it has become a complicated game of cat-and-mouse, and often times hackers are one step ahead in the game.
Cloud and mobile computing, insider threat and APT are forcing organisations to review and re-shape existing security frameworks to overcome challenging security issues and prevent data breaches.
The architecture of a new data security framework
Data-centric security model
Within organisations, unstructured data causes lots of security issues since it is constantly being created and used by many different users, moved and stored in multiple locations while structured data is generally stored and managed in secure environments. Therefore, it is not easy to design a security model for data, unstructured data. Organisations should incorporate a security policy not only for data at rest or in transit, but also in use. In a new security framework, organisations should apply a security policy to data itself rather than controlling access to networks and systems.
Data security policies are constantly challenged by the unpredictable nature of data usage in a business environment. This is why security policy on data should be people-centric. The policy should be flexible and dynamically enforceable based on rich context including content, user, device, time, location, etc. Even though a flexible policy is in place, organisations need to allow exceptions to minimise productivity issues. A security policy on data should maintain a balance between security and productivity to allow users to perform business operations without interruption since access to data occurs on multiple devices by different users throughout its lifecycle.
A security framework that has a data-centric security model with people-centric policy may not be secure enough if it has only a single layer of policy enforcement. The reasons are that exceptions are inevitable in a dynamic business environment, and exclusions can be easily found in real implementations. Exceptions are a temporary deviation from policy, and exclusions are an exemption from applying security policy.
Fasoo Data Security Framework
The Fasoo data security framework consists of a three-tiered suite of solutions to strengthen information security. The Fasoo Enterprise DRM (FED) suite plays a pivotal role to enforce security policy on data among three layers of data protection. At the front-end, Fasoo eData Manager discovers and classifies the data, reapply policy to the data unprotected due to policy exceptions and exclusions. At the back-end, Fasoo RiskView enables organisations to manage risks holistically by collecting and analysing logs of data usage and various sources that can be useful. This multi-layered approach enhances and completes an organisation’s security framework.