A data-centric approach to security could bolster enterprises' defences against hacking and cyber attack, according to the closing keynote panel at Infosecurity Europe 2014.
Moving towards a model where data are classified allows organisations to bolster security around the information that needs it – but also allows freer access to information that is less sensitive.
Technology vendors, too, are moving to include data loss prevention and data classification in their products, especially in the cloud, and data classification could help firms to make the transition to cloud and mobile computing.
"Data loss prevention technology is starting to be included out of the box, although we are not quite there yet," said Ashish Surti, head of IT security at Direct Line Group. "At the moment, we are still bolting processes and technology onto it."
But the same time, IT security teams are having to deal with a shifting IT landscape, where more data is outside the network, and may be on servers or devices that are not under the organisation's direct control.
"A lot of organisations' approaches to cloud is the same as their approach to any other outsourcing contract," said Nick Bleech, head of information security at Travis Perkins.
"I don’t want to belittle any risk, but if you have sensitive data sets and put those in a data centre in the Philippines, that is also a contractual risk that has to be managed." As more businesses move to the cloud, however, he expects data protection authorities to put the sector under greater scrutiny.
In industries that are highly regulated, a data centric approach to security can also form the basis for negotiations with service providers. "We have to keep health care data in the UK," said Richard Corbridge, CIO at NIHR CRN, the UK's clinical research network. "Our contract with Google says the data have to be in the UK. [Internally] deciding which data go to the cloud is risk based."
But organisations need to understand the sensitivity of data, as well as how it will be used, in order to assess its risk, said Sarb Sembhi, Director, Incoming Thought. "The approach to data classification needs to be effective and workable," he said.
This means deciding which data to protect, which need lower or no protection, and which should be discarded. But the panellists agreed that there are business benefits to allowing users to access non-sensitive data quickly and easily. "There will be huge chunks of information you don't need to secure, and which you can start to allow people to use," said Corbridge. "Don’t spend time agonising over that, but do make sure people understand the differences between data categories."
"We are looking at how we can allow access to sensitive information, and how to allow the business to process it," said Surti. "The business, and the architecture that processes the data, needs to be joined up."
And, at Travis Perkins, Bleech reported pressure from the business to allow remote access to data, in the cloud or on personal devices. "We are pushing on an open door here," he said. "The pressure for BYOD is coming from the business… but as risk professionals, we also have to ensure the business is informed about any risk."