The Data Breach Triangle
When I go camping, I know there are three essential elements to creating a fire: heat, fuel and oxygen. Take one of these elements out of the “fire triangle” and the fire goes out. The same can be said for the data breach triangle. This term was coined by Rich Mogull from Securosis, and his model shows that a breach needs three core elements: exploit, egress and data. Remove any of them and the breach is prevented.
Too often, companies will invest in preventing the exploit through detection tools, identity and access management (IAM), vulnerability managers and so forth. But there’s not enough focus on core data security: encryption, data activity monitoring and data loss prevention, among other protection solutions. To have a balanced approach, you have to invest in all areas.
About Data Activity Monitoring and Data Loss Prevention
Let’s take a look at two complementary technologies: data activity monitoring (DAM) and data loss prevention (DLP).
DAM solutions should continuously monitor all data access operations in real time to detect unauthorized actions based on detailed contextual information — the who, what, where, when, and how of each data access. These solutions must be able to react immediately to prevent unauthorized access or suspicious activity by privileged insiders and potential hackers, plus automate data security governance controls in heterogeneous enterprises. With the right architecture, DAM can improve security and support compliance requirements through a set of core capabilities while also minimizing total cost of ownership.
Back in 2009 when DLP was the buzzword in the security industry, DAM and DLP shared the limelight. At the RSA Conference, main-stage talks were focused on DLP. Everyone thought it was the silver bullet for data security. But as time marched on, people realized it was a security pitfall – and that DLP alone was not sufficient enough. DAM and DLP needed to work together.
DAM and DLP certainly share some similarities: For example, both solutions focus on the data and its associated context, behavior and activity, in addition to content awareness. Both are well-suited in meeting compliance requirements like PCI, HIPAA and SOX.And both help with the involvement of line-of-business (LOB) owners.
But the offerings also have their differences. DLP is focused mostly on perimeter activities: the outbound network, endpoints, etc., while DAM focuses on the source of the organization’s crown jewels, usually in databases and data warehouses. DAM solutions have better visibility into the movement of sensitive data from the source to the next hop — applications, privileged users, spreadsheets, etc. DAM also includes the very granular context and behavior surrounding the data. Essentially, DLP concentrates on data at rest on database solutions, while DAM monitors data at rest, access and usage through SQL transactions, privileged users, etc., and even applies DLP concepts by blocking, masking or quarantining risky traffic.
A Porous Security Perimeter and Data Security
The modern-day perimeter has become extremely difficult to secure due to IT mega trends around cloud, mobile and big data, and first generation DLP capabilities simply have not kept up with some of the challenges. Businesses need a solution that includes current techniques and is able to integrate with DAM. It’s important to choose the DAM technology that can keep up with recent mega trends, work in real time and enable you to deploy with the least amount of overhead.
Learning about the most common data protection pitfalls can help organizations recognize their security weaknesses and improve their defenses. Watch the on-demand webinar “It’s 2 a.m.: Do You Know Who’s Accessing Your Sensitive Data?” to learn more about securing your critical assets and preventing data breaches with core data security.