THE DEFINITIVE GUIDE TO DATA SECURITY Taller walls aren’t the answer. Table of Contents Introduction 1 Part I The Walls Are Crumbling 4 Our Path to the Present 5 The Old Ways Can’t Serve Our New World 7 Part II Finding the Four Key Gaps 10 The Behavior Gap 11 The Visibility Gap 14 The Control Gap 16 The Response Time Gap 18 Part III The Best Defense: Data Security 21 Data-Centric Security for a Borderless World 22 Security for Data Anywhere and Everywhere 23 Closing the Security Gaps 26 Contact Information 28 Introduction You don’t know what you don’t know. Each time you read about another data breach in the paper, some little voice whispers in your brain, “That can’t happen to us, right?” But, deep in your gut, you know sensitive business data may be at risk somewhere out of sight, beyond your reach. Your data security policies and processes have gaps—places where sensitive information can go astray and end up in the wrong hands. For most businesses, today’s information security is built as a series of metaphorical walls—protections and defenses erected around applications, devices, networks, and online identities. Beyond those walls, we rely on each individual employee following policies as a virtual extension of these fortifications. The good news: we have become expert at building defenses around applications and networks, including perimeter-based security, strong authentication, encryption, mobile device management, and secure containers. All of these solutions offer vital protections. But when they fail—when there’s a breach in our defenses—we try to strengthen the barriers we already have. We don’t adapt. And that doesn’t work. 1. Data is the vital stuff of business, but to protect our crown jewels, we have to shift our security to protect what really matters: the data itself. SECURED WITH VERA NOT PROTECTED 2. If you lock everything down, business will grind to a halt. Building higher walls and stronger perimeter defenses may make you feel safer for a while. But this strategy can’t deliver lasting protection, for two reasons: Walls are crumbling. Physical boundaries and network perimeters are dissolving. The more complex the IT environment becomes, the more difficult it is to protect the systems, devices, people, and networks handling corporate data. Sensitive data escapes through the gaps in the defenses. Business is storming the walls, from the inside out. Data delivers value when it’s being used by employees as well as people outside of your organization, with devices and applications that you cannot control. Data is the vital stuff of business, but to protect and control our crown jewels (our intellectual property or regulated information) when they’re in use by partner or collaborator hands, we can’t rely on walls. We have to shift from infrastructure-centric security measures to data-centric approaches to protect what really matters: the data itself. If your team is struggling to secure sensitive data in a world without well-defined borders, you need to change your approach and understand: • Why building bigger walls around data, devices, networks, and applications doesn’t work anymore • How to find and detect the four key gaps in your information security architecture • How to bridge those gaps by protecting data in use To get out from behind our walls, we first have to understand how we got into our current situation. 3. PART I THE WALLS ARE CRUMBLING Part I Our Path to the Present Taller, higher, stronger walls Great minds and innovative companies have spent decades addressing the challenges of information security. As technologies change and expose vulnerabilities, new solutions rush in to fill the vacuum, adding layers to secure the people, places, and things handling business data. Back in the day, the mainframe environment consisted of a single access point, one network, and only a few privileged accounts to protect. Admins controlled logins to the mainframe and locked down the computer in a secure, temperature-controlled citadel. The mainframe itself took care of the rest. Then the computing perimeter started expanding, and defenses became more complex. Distributed client/server computing multiplied the systems and networks needing protection. Computers multiplied. Client devices multiplied. But, most employees still operated within corporate networks. As information systems expanded to the cloud, logins multiplied. Mobile devices mu