Analysts on Data-Centric Security | Digital Guardian

Analysts on Data-Centric Security

The Times They Are a-Changin' – a look back on analysts' evolving views on information security

"As we’ve seen over the past few years, our cyber adversaries want to steal our data; whether it's credit card information, emails, or intellectual property."
– Jon Oltsik, principal analyst, Enterprise Strategy Group (ESG)

For years, industry analysts advised enterprises to build stronger perimeters and watch for attackers. As a result, companies and government agencies spent billions of dollars each year on hardened networks, intrusion detection/prevention, and anti-malware.

Anyone notice a decline in data breaches?

We’re now seeing a change in the analysts’ tunes; a recognition that the focus should be on directly protecting the assets valued by attackers – the data itself. As former @stake CTO Dan Geer stated recently “It’s not about keeping the bad guys out, it’s about keeping the valuable data in."

"(A Zero Trust Approach) fundamentally shifts the focus from the perimeter to the data itself…”
– Forrester Research, The Future of Data Security: A Zero Trust Approach, June 2014

Nobody will endorse eliminating perimeter security. It’s a fact that you are safer if the attackers are outside your network. However, it can’t be the primary defense mechanism. What happens, for example, when attackers steal the credentials of a privileged user? In that case, we must be able to discern the context of data use, not simply who the user purports to be. A data-centric approach provides a defense against the worst-case scenario; a determined attacker with access rights to the most critical data.

To be effective with data-centric security, you have to create visibility so there is an understanding of how information is being used by employees and contractors. You need to know who is using data and whether the proper safeguards are in place to protect that data. It's hard for an organization to have true visibility without the right tools—things like real-time monitoring capabilities or policy workflow management. You need those tools to understand where data is flowing, what kind of controls are in place, or if there's evidence of misuse or data leakage.
– Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute

Data-centric security provides continuous awareness of data classification and location, and allows organizations to enforce appropriate use by individuals and systems. It simply makes sense to focus on the data rather than individuals or networks. It’s good to see the analysts agree.

Mike Pittenger

Customer Spotlight: Deploying a Data Protection Program in Less Than 120 Days

Michael Ring, IT Security Architect at Jabil Circuit shares how they deployed Digital Guardian to over 40,000 users in less than 120 days. Watch the webinar on demand now.

Watch Now

Related Articles
The Role of Security Analytics in Information Security Programs

18 infosec pros and analytics experts reveal the role of security analytics in information security programs today.

Insider or Outsider - Does it Matter?

Much noise is made about the risks associated with insider threats versus outsider threats, but why?

Data-centric Security for Healthcare Compliance

Focusing security efforts on sensitive data to meet healthcare regulatory requirements

Mike Pittenger

Mike Pittenger is vice president, security strategy at Black Duck Software. Mike has over 30 years of technology business experience, including over 15 in application security. He was a co-founder of Veracode and led the product divisions of @stake and Cigital. He can be reached at mwpittenger [at]

Please post your comments here