How to Protect Sensitive Data without Having to Guess the Next Attack Vector

Focusing on data for effective and sustainable protection

In my previous post, I wrote about the futility of constantly protecting against the most recent breach rather than focusing on protecting the data itself. I want to expand on why I think focusing on the data is a much more effective way to defend against outsider attacks.

In the vast majority of cases, an adversary is attacking a target in an effort to steal data. The type of data varies depending on the goals of the attacker (e.g. financial information, consumer data, competitive designs, or source code), but in all cases their end goal is stealing the data. An effective, sustainable defense against these attacks has three core requirements that are centered on applying protection directly to the data:

  1. Identify sensitive data continuously. It is obviously hard to protect data if you don’t know where it is at all times. Generating a point-in-time inventory of data is a first step, but doesn’t account for data that is created or modified after the inventory, or the movement of data over time. To protect data, an organization must consistently and continuously identify and classify data as it is created or modified.
  2. Monitor sensitive data continuously. Data isn’t static. Employees, customers, and partners use and modify it, as do business applications. Protecting a data store is good, but critical data also exists on laptops and mobile devices, or in email to users inside or outside the enterprise. Knowing where the data “used to be” doesn’t help. It must be tracked throughout its life (and maintain appropriate classification).
  3. Protect sensitive data use contextually. Protecting data doesn’t mean simply locking it down. It requires a contextual understanding of three factors: what actions may be taken with the data; by whom; and, under what circumstances. Certain actions may be permissible on the corporate network, but not off the network. Privileged users need to configure devices but should prohibited from viewing specific files on those devices. (This is context aware security.)

Reacting to previous breaches can obviously plug holes in an organization’s defenses, but it’s not a sustainable strategy. By applying protection directly to data, organizations gain continuous visibility to data creation and use. If you know where your data is, at all times, policies controlling its use (and blocking misuse) are simpler to implement. In short, data-centric security protects sensitive information without having to guess the next attack vector.

Mike Pittenger
Related Articles
The Dutch Boy and the Data Leak

Home Depot,, and Goodwill all announced data breaches in September. They will all now investigate how these leaks occurred and build defenses to prevent those particular attacks from repeating.

Insider or Outsider - Does it Matter?

Much noise is made about the risks associated with insider threats versus outsider threats, but why?

Analysts on Data-Centric Security

The Times They Are a-Changin' – a look back on analysts' evolving views on information security

Mike Pittenger

Mike Pittenger is vice president, security strategy at Black Duck Software. Mike has over 30 years of technology business experience, including over 15 in application security. He was a co-founder of Veracode and led the product divisions of @stake and Cigital. He can be reached at mwpittenger [at]

Please post your comments here