It’s 2023. Do you know where your data is?
Perhaps not, thanks to the fact that the traditional network perimeter has expanded. It’s no longer necessarily inside your agency—it’s in various clouds, and even inside and outside your employees’ homes.
This is the new data perimeter. If the network perimeter was like a protective moat that surrounds a castle, the data perimeter is the small houses that dot the landscape around the royal grounds. Each of these houses has a single zero-trust network access door through which only privileged users should be able to enter.
The problem is that it’s difficult to know where these houses are located, much less how to protect them. The highly distributed environment makes it nearly impossible to achieve true visibility into all potential entry points—and that makes it difficult to impose effective security measures, including access controls.
Shifting from a focus on network-centric to data-centric security enables a true zero-trust strategy, while simplifying and unifying what has become an overly complex security landscape.
A cloud isn’t just a cloud service
Why is today’s security landscape so complex? Part of the reason is the ongoing reliance on multi-cloud platforms, which have caused data to be distributed far and wide.
But what exactly is a cloud, anyway?
When someone hears the word “cloud,” they typically think of different cloud services, such as Microsoft Azure or AWS—but those are not the only types of clouds you’re probably using. Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Containers-as-a-Service (CaaS) solutions also house a great deal of data.
Then, there are on-prem clouds, which many agencies use to store highly sensitive information, as well as to save money or adhere to federal regulatory requirements. These should be considered extensions of your data security landscape.
In short, any service you’re using that can deliver data to your employees, contractors, and partners must be protected. That could be a classic cloud, a platform, or an application—if it’s using or housing data, it must be kept secure.
That’s a big challenge when there are so many services out there. How do you protect them all when they are so widely distributed?
Start by unifying and consolidating the way you manage data security.
Toward unification and simplicity
Unifying security management starts with unified identity access (including segmentation by identity and role) and an analytics platform that centralizes security logs (providing much-needed visibility and granular policies on user access to sensitive data). The former allows you to segment access privileges by each user’s identity and role; the latter provides much-needed visibility into how data is being accessed and used.
By unifying and consolidating, you’ll be able to apply and manage one set of security policies from a single console and through a single endpoint. You’ll be able to monitor all data as it passes from cloud to cloud, user to user, and back and forth.
When consolidating, consider implementing the following tools:
· A cloud access service broker (CASB) that can enable identity-based access controls for cloud applications.
· A secure web gateway (SWG) that monitors and safeguards interactions with any website and that, together with a CASB, offers control and visibility over shadow IT activity. For example, an SWG may block the ability to upload sensitive information to any personal file-sharing site.
· A zero-trust network architecture (ZTNA), which focuses on protecting resources instead of network segments. A ZTNA can be used with a CASB to let security teams deliver identity-based access controls for internal and cloud applications seamlessly using Single Sign On (SSO).
· A data loss prevention (DLP) tool to consistently protect sensitive data across the cloud, web, and private applications.
Unified management should cover all agency data accessed through any private app, cloud app, website, or device. Additionally, it must control how agency employees use managed and unmanaged devices. Within this streamlined security model, no one can bypass enforcement, even if they’re using their own devices.
Through consolidation, you can improve compatibility, reduce disconnects, close gaps, and improve security efficacy. With efficacy comes accuracy, allowing teams to cut through alert noise and minimize investigation time.
Most importantly, you’ll gain far greater control over your data—in 2023 and beyond.
Petko Stoyanov is CTO, Global Governments and Critical Infrastructure, at Forcepoint, a multinational software company based in Austin, Texas.
Have an opinion?
This article is an Op-Ed and the opinions expressed are those of the author. If you would like to respond, or have an editorial of your own you would like to submit, please email C4ISRNET and Federal Times Senior Managing Editor Cary O’Reilly.