Data Gravity. It certainly sounds like it has a certain gravitas. I personally have been fascinated by the term since I was first drawn towards it. The implications of data gravity for the cybersecurity industry and among Chief Information Security Officers are worth exploring in more depth; and I finally had time over the weekend to write up my thoughts.
It is clear to me that data security approaches must evolve because of the gravitational pull of data, ensuring that security and privacy protections are agile enough to move with the data, precise enough to offer protection despite the scale, and can counterbalance data gravity where compliance dictates.
A Quick Refresher: What Is Data Gravity?
I first came across the term “data gravity” in one of Ross Haleliuk’s amazing Venture in Security’s newsletter. (p.s. if you aren’t subscribed, you should be!). As Ross describes, the concept has been around since 2010. Data gravity is a useful construct used to explain the increasing accumulation of data in centralized locations. It asserts that data has its own gravitational force that draws in more data and encourages applications to be built in ever closer proximity to the data it uses. As the data accumulates, data gravity becomes an even stronger force as the cost, complexity and effort to move it securely elsewhere becomes a burden.
More Data In Less Places = More Risk
CISO’s must view the aggregation of their organization’s data as an increase in risk—the proverbial “all your eggs in one basket.” The concentration of risk from keeping too much of anything in one place is probably even more front of mind this week..
Organizations and CISO’s can’t afford to be surprised by the risks from this aggregation of data and need to proactively ensure their data is resilient to any event that could threaten its availability. The opportunity to use multiple availability zones and build distributed data architectures exist in every cloud service provider, but unfortunately too many CISO’s lack even a basic data inventory, and don’t know where all their data resides.
This is where Data Security Posture Management can help identify where your data is, where your backups or failovers are (if any), and monitor the flow of backup data and ensure backups are both successful and complete. In addition, it can help monitor and restrict access to your backups themselves, ensuring you’re not surprised when you need them the most.
Precision and Speed
A less obvious implication of data gravity is the increasing need for both precision and speed. As data becomes more concentrated, the implicit controls from keeping different datasets separated, and thereby restricting the blast radius from a security incident disappears. CISOs can no longer restrict access to datasets based solely on the data store; instead they need to understand the data in more detail and restrict access and operations more precisely than ever before. CISOs also no longer have the luxury of added containment time that was provided by having data separated across multiple data stores. Unfortunately, making data easier to access by centralizing it, makes it easier for an attacker too.
As a result, organizations need to actively reduce their data blast radius and increase the speed of their response. Data security posture management tools like DataGuard can constantly assess the volume of data at risk and prioritize pragmatic steps to minimize the potential impact of a security breach of a single identity, data store, vulnerability or misconfiguration. The precision and speed from knowing exactly what data is on what data store and who can access it is essential when all your data is in one spot.
Compliance Requires Artificial Data Gravity
Like gravity itself, uncontrolled data gravity can also have severe consequences to organizations when it results in a collision with immovable objects like laws and regulations. Organizations must comply with various unique, overlapping, or contradicting data security and privacy requirements, including various regional data residency, data localization, and data sovereignty regulations. These regulations need organizations to keep their data in certain locations and restrict movement outside of that location. Allowing this regulated data to move across geographic and other logical boundaries without restriction could result in significant fines and penalties.
This is where data security posture management can help create a strong counterbalance (almost an artificial gravity) around this data, by monitoring, alerting and enforcing policies to keep data where it belongs, both secure and compliant. An important first step. however, is to identity the data that has specific regulatory requirements.
Data-Centric Architecture Is a Must for Data Security Tools
The security benefits from the concentration of data through the impact of data gravity is obvious. It’s easier to identify, protect, detect, respond, and recover from threats when the data to be protected is within your environment than when it isn’t.
As security practitioners, we’ve seen just how hard it is, and how long it takes to investigate a security incident outside your organization. You’re reliant on a contract to enforce how a third party needs to secure data when it’s outside your control and a questionnaire that never gets to the specifics to figure out how they are protecting your data. It’s not surprising to see a large volume of companies impacted by third-party breaches and the focus of the industry on third-party risk.
But rather than leveraging the benefits of centralized data, we seem to be actively fighting data gravity by adopting security tools that operate outside our environment and, as a result, we send them “bucket loads” of our data.
CISO’s should be asking themselves why. At Symmetry Systems, it is extremely important to us that customers maintain control of their data at all times. In fact, this is the primary driver behind our customer-native deployment model. In the customer-native model, our Data Security Posture Management solution DataGuard is deployed in the customer’s cloud tenant to ensure the security benefits of data gravity aren’t negated in exchange for the illusion of a five-minute install.
Managing Data Gravity with Data Security Posture Management
Given all these implications of data gravity on security, it is imperative that CISO’s adopt a data- centric strategy to avoid being caught unaware of where their data is ending up and to actively reduce the blast radius from this aggregation of data. In my opinion, DSPM is a must-have for any organization that has data that is worth protecting.
To learn more about DSPM or see a DSPM solution in action, please reach out. We’d love to show you how DataGuard can help visualize the impact of data gravity and provide an evidence-based approach to data security.