A funny thing happened when I joined Micro Focus earlier this year. Having come from the data security space, I was used to hearing (and promoting) messages like "Data is the new perimeter" and "Data-centric security is the foundation." It made perfect sense to me, since data is at the core of business value creation.
But then I joined the Identity and Access Management (IAM) team at Micro Focus, and suddenly I was hearing that identity is at the center of everything: Identity is the foundation, identity is the new perimeter, identity powers EVERYTHING!
I’m the kind of person who likes to ask "Why" a lot. I like proof. I like expert opinions. And I like weighing different viewpoints and judging which argument makes the most sense.
So in this blog, I'm going to list some of the arguments for identity-centric security vs. data-centric security. And if you want to weigh in on the debate, please consider attending the Micro Focus Cybersecurity Summit happening June 11-13 in Dallas, TX, where you can meet with Micro Focus product experts and customers. If you are a customer, it's free to attend!
Arguments for Data-centric Security
A data-centric approach focuses on applying protection to data itself, rather than trying to protect the data in specific locations, such as on a laptop or on a specific network. The goal is to protect sensitive data wherever it goes, using policy-based protection that prevents unauthorized users from accessing the data.
Data-centric technologies include data discovery, classification, encryption, tokenization and data masking. While identity and access management are seen as an important part of the overall strategy, IAM is not the foundation.
Arguments for this approach usually center around a few key points:
- Organizations no longer have a secure network perimeter - in fact, they don't really have a perimeter at all. Applications and data are increasingly stored in the cloud, and users expect to access their information from any location, on any device. This new reality has led to the Zero Trust Model, where no one is trusted by default, even if they are already inside the network perimeter. This model works particularly well with data-centric security, since methods like encryption can make data useless even if it's stolen or leaves the enterprise.
- Encryption is often seen as a "get out of jail free card" for privacy-related data breaches, enabling an organization to avoid reporting a breach or limiting the organization's liability for not protecting the information. While there is much debate about how true this is, especially for GDPR, it does lessen the risk of the plaintext data falling into the wrong hands.
- As big data projects become mainstream, an explosion of data is being captured into massive data lakes. This data provides great opportunity for new insights and business optimization based on analytics, AI, and machine learning. However, big data technologies are inherently open, and therefore vulnerable to attack from insiders who have root access. Data-centric security advocates see encryption and tokenization as a solution to this threat.
Arguments for Identity-centric Security
An identity-driven approach focuses on identifying individuals or things in a system, and controlling their access to resources within that system. The goal is to ensure that the right people access the right information at the right time.
Identity-centric technologies include identity management, identity governance, access management, and privileged account management.
The arguments for this approach share some similarities to data-centric security - i.e. that a new security approach is needed in a Zero Trust environment where no one can be trusted by default. However, advocates for identity-centric security say that identity - not data - is the common denominator in increasingly complex business networks, and should be used as the core of trust for all transactions. It is identity that is at the center of how people, devices, and data are connected.
An identity-centric approach says that if you don't know who (or what) is requesting access, no other security method really matters. You can have the best data encryption and application security, but if the wrong identity gains access to that data or application, all that effort is for naught.
There are a number of reasons why identity has become increasingly important in the last few years.
- Identities have evolved far beyond people. In addition to employees, partners and customers, identities now include connected devices, applications, services, and machines that power modern business. This diverse mix creates incredibly complex relationships, which are best managed by putting identity at the core of an organization's policies.
- With GDPR, organizations can no longer treat any name in a database as their own to manage as they please. At a minimum they must protect any personally identifiable information, but must also justify why they are storing it in the first place. With many more identities to manage, the result is an increased need for identity governance.
- Identity continues to be at the root of most headline-grabbing data breaches. Most breaches involve gaining access to privileged credentials, which can provide unlimited access to systems and data. Effectively managing the identities and access of those users who have the ability to do the most harm – maliciously or accidentally – is a logical step in securing the organization.
So which approach is better?
Personally, I don't think you necessarily have to choose one approach over the other. As all cybersecurity professionals know, no single approach provides a silver bullet for all security challenges.
However, I do have to say that since I've joined the IAM team at Micro Focus, my perspective has broadened. I now see identity as a critical enabler for digital transformation, and an excellent foundation on which to build a security strategy.
But even if you come at the problem from a different perspective, you'll find many people and solutions at Micro Focus who can support your journey. Our offerings include a wide range of security, risk and governance solutions, including both data-centric and identity-centric solutions.
The Micro Focus Cybersecurity Summit in June of this year is a great place to continue the conversation. I hope to see you there!
Follow Micro Focus Security on Twitter and use the hashtag #MicroFocusCyberSummit to stay up to date on the Cybersecurity Summit.