Informatica and Ponemon Institute concluded their second annual survey on data centric security, titled “The State of Data Security Intelligence.” This follows last year’s report on “The State of Data Centric Security.”
The survey results yield no surprises as they mirror the never-ending data breach headlines: Organization’s perceive more risk as they have less confidence about their understanding of their sensitive data. Where is our data and where is it going? What is its value, protection, usage and growth?
Those concerns continue to drive confidence lower as organizations struggle to focus data and network security investments to reduce risk and improve breach resiliency. Additionally, organizations struggle to track data use and movement to ensure they comply with the byzantine landscape of privacy laws and regulations. Coupled with the ever-growing threat volume and sophistication, security executives and practitioners revealed in the survey that they need to make fundamental additions to their strategies and tactics: data centric strategies and tactics.
The survey was significant (over 1,600 participants) and represents a worldwide cross section of industries, executives, line of business management and security professionals. Key finding support the conclusion that data centric security would help organizations reduce overall data breach risk.
- First, when asked what keeps IT practitioners up at night, 64% of those surveyed cited not knowing the location of their sensitive data. This does not mean organizations are not performing assessments of critical data and applications. The inference is that data growth and proliferation render manual processes, custom tools and surveys obsolete for developing an accurate and actionable picture of an organization’s sensitive data risk. When asked if automation of sensitive data risk scoring would help, 77% indicated that automation would help improve their efforts; 80% of respondents said that not knowing sensitive data risk was a concern.
- Second, cloud does not provide safe harbor or reduce anxiety of data security and breach. In almost all categories, the survey indicates that organizations are actually more concerned about data security in the cloud than they are about data on-premises. If an organization does not know what it has on premises, it is highly unlikely that it will understand what it has moved to cloud for platform or application services. Additionally, data in the cloud is just as dynamic (if not more so), as data on premises. Data growth and proliferation from and within the cloud raises security and privacy risks if not carefully understood and managed.
- Third, many organizations have not deployed data security controls. Surprisingly, only 56% of reporting organizations cited the use of data encryption. Data loss prevention is only 42% and data masking only 35%. Given the myriad of regulations and privacy laws calling for the encryption, tracking and de-identification of sensitive data, these statistics indicate that most sensitive data is open to inside and outside attacks, as well as privacy law violations.
With growing data proliferation from outsourcing, analytics, B2B initiatives and customer-enabled web services, organizations should assume that data will be compromised. With the combination of masking, encryption and other technologies, organizations can reduce their sensitive data risk from attacks and reduce the likely hood of privacy violations. Attackers will seek authorized access to data via social engineering and phishing; key to limiting sensitive data exposure is the tight control of sensitive access. These technologies help organizations enact least privilege and need-to-know data access policies.
The survey provides other key indicators that sensitive data needs to be front and center for security strategies and tactics. It strongly suggests that organizations should consider data a new perimeter for their security and privacy efforts. Data centric security provides the means to accomplish this task; understand sensitive data risk and implement data controls for security, privacy and auditing.