1 Introduction
Cloud services offer many benefits, including the ability to meet changing demands and the flexibility to deliver new business solutions faster. Office 365 and SharePoint as Software as a Service (SaaS) offerings from Microsoft are the tool of choice in many organizations and industries for office collaboration, daily document work, and secure information exchange with extended supply chains and partners. However, many organizations today also have a hybrid IT environment in which some IT services are delivered on-premises in the enterprise data center, some are delivered via the cloud, and some are hybrid in both the enterprise data center and multiple clouds. These factors pose significant challenges to information security and regulatory compliance.
The digital transformation that businesses and public institutions alike are facing, requires a new type of IT environment. This requires more agile approaches and the ability to efficiently and securely translate departmental and business requirements into new software models and offerings. As a result of this, today’s cybersecurity is undergoing substantial changes. Traditional cybersecurity typically focuses on protecting networks, systems, applications, servers and endpoints in general. So, when we look at the protection of the actual data as the key asset of the process of safeguarding information, traditional security mechanisms are still often used for data during transmission (data in motion, e.g. HTTPS) or in its stored state (data at rest, e.g. hard disk file system base encryption).
The question of how to secure data in an increasingly perimeter-less IT between on-premises environments, the cloud and anywhere in between is getting more and more important. Business boundaries are dissolving as the requirements and the ability to share information continuously increase. For example, in agile and collaborative working environments, information has to be shared efficiently and securely between various internal and external business partners, mainly via cloud services and with mobile devices. This requires extensive access to what is often considered to be critical content by a variety of stakeholders.
Modern, data-centric security approaches move their focus away from infrastructure and network boundaries and look rather at the transmitted payload. This modified paradigm of protecting data is key, especially when traditional IT infrastructure is replaced or augmented with cloud services. Data-centric security typically looks at the processes of
- Identifying and discovering sensitive data;
- Classifying data (from public to confidential and regulated);
- Managing and protecting (especially sensitive) data, encompassing its full lifecycle using methods such as encryption, hashing, and access controls;
- Data loss prevention (DLP) methods and techniques;
- Monitoring and auditing of access to classified data, to provide evidence of successfully implemented measures and controls to regulators, to internal audit, senior management and the business.
Organizations are increasingly adopting a hybrid model for the delivery of IT services and this requires a consistent approach to govern and secure data on-premises, in the cloud (including multi-cloud approaches) and when shared with external parties.
Above all, ease of use and a transparent application of the above given processes are of high importance to provide security and efficiently enable business with all involved parties.
Classification, access control and technical enforcement of security measures allow to implement risk-based approaches for data-centric security. This is often required by auditors and the business to make sure that sensitive data can be identified and processed, transferred and stored with adequate safe guards. Data subject to special requirements, such as mandatory data locality or industry-specific regulatory requirements, can be appropriately isolated. This allows for them being treated individually and adequately.
That does not mean that data-centric security is the single, new solution to security challenges replacing everything that has been done before. Traditional security mechanisms (e.g. firewalls or endpoint security) continue to represent an initial layer of protection that must first be overcome and protect individual aspects and security dimensions of hybrid environments. Whenever applicable, e.g. when establishing segments of hybrid environments on premises, these measures will be valid and efficient components as parts of a so-called layered security approach, covering multiple dimensions of cybersecurity.