Analysts on Data-Centric Security

The Times They Are a-Changin' – a look back on analysts' evolving views on information security

"As we’ve seen over the past few years, our cyber adversaries want to steal our data; whether it's credit card information, emails, or intellectual property."
– Jon Oltsik, principal analyst, Enterprise Strategy Group (ESG)

For years, industry analysts advised enterprises to build stronger perimeters and watch for attackers. As a result, companies and government agencies spent billions of dollars each year on hardened networks, intrusion detection/prevention, and anti-malware.

Anyone notice a decline in data breaches?

We’re now seeing a change in the analysts’ tunes; a recognition that the focus should be on directly protecting the assets valued by attackers – the data itself. As former @stake CTO Dan Geer stated recently “It’s not about keeping the bad guys out, it’s about keeping the valuable data in."

"(A Zero Trust Approach) fundamentally shifts the focus from the perimeter to the data itself…”
– Forrester Research, The Future of Data Security: A Zero Trust Approach, June 2014

Nobody will endorse eliminating perimeter security. It’s a fact that you are safer if the attackers are outside your network. However, it can’t be the primary defense mechanism. What happens, for example, when attackers steal the credentials of a privileged user? In that case, we must be able to discern the context of data use, not simply who the user purports to be. A data-centric approach provides a defense against the worst-case scenario; a determined attacker with access rights to the most critical data.

To be effective with data-centric security, you have to create visibility so there is an understanding of how information is being used by employees and contractors. You need to know who is using data and whether the proper safeguards are in place to protect that data. It's hard for an organization to have true visibility without the right tools—things like real-time monitoring capabilities or policy workflow management. You need those tools to understand where data is flowing, what kind of controls are in place, or if there's evidence of misuse or data leakage.
– Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute

Data-centric security provides continuous awareness of data classification and location, and allows organizations to enforce appropriate use by individuals and systems. It simply makes sense to focus on the data rather than individuals or networks. It’s good to see the analysts agree.

Mike Pittenger

Customer Spotlight: Deploying a Data Protection Program in Less Than 120 Days

Michael Ring, IT Security Architect at Jabil Circuit shares how they deployed Digital Guardian to over 40,000 users in less than 120 days. Watch the webinar on demand now.

Watch Now

Related Articles
Your Weakest Link May Not be Your Employees After All - Securing Your Data Supply Chain

Securing only your employees isn't enough to keep your data safe today - businesses must extend security measures across their entire data supply chain.

Data-centric Security for Healthcare Compliance

Focusing security efforts on sensitive data to meet healthcare regulatory requirements

The Dutch Boy and the Data Leak

Home Depot,, and Goodwill all announced data breaches in September. They will all now investigate how these leaks occurred and build defenses to prevent those particular attacks from repeating.

Mike Pittenger

Mike Pittenger is vice president, security strategy at Black Duck Software. Mike has over 30 years of technology business experience, including over 15 in application security. He was a co-founder of Veracode and led the product divisions of @stake and Cigital. He can be reached at mwpittenger [at]

Please post your comments here