What is data-centric security and why is it important?

Feb 19, 2018

The idea behind it is simple and logical, the implementation is a bit more complicated.

With the data-centric approach, it is not the IT systems themselves that are at the centre of the efforts, but the most important asset of a company - the data itself.

This makes it possible to protect sensitive data that is in need of protection in compliance with the relevant laws, so that it can be stored, transmitted or processed in this state at any location in the company. Even beyond company borders without media breaks. Sounds too good to be true? That's what I thought at first! I personally came into contact with this technology for the first time in 2005 in the Silicon Valley. At that time the developer, Voltage Inc. focused on placing this technology with the major U. S. financial institutions and credit card organizations.

Today, around 9 of the 10 largest US financial institutions use data-centric security to protect their data in payment transactions.

No one can claim that the concept of data-centric security or the technology behind it is not mature or ready for the market. Similarly, standardized encryption technologies are used that free every user from the burden of proof through legally recognised data protection.

But now something about the technology itself.
The core of this concept is the use of format preserving encryption (FPE). This offers a huge advantage over traditional encryption methods such as AES256 for example. FPE allows me to encrypt my sensitive data at the source, with no need to worry about the all the data processing applications involved. Yes, none of the existing applications will "complain" about the protected data, produce an error and stop working. This eliminates the time and expense required for adapting all applications as required for conventional encryption. The data protected by FPE can also be transferred from the corporate network, e. g. to a partner without any difficulties or loss of data protection. If the partner has the appropriate permissions to access the original data, he will receive an encryption key calculated on request for the exact date or attribute only, which allows access to the original date. And what should please the security managers in organizations is that no complex PKI (Public Key Infrastructure) is necessary for using FPE. This eliminates all system-, silo-, and network-boundaries with all encryption and decryption operations.

How to explain this?
It's quite simple, using the database systems that can be found in all companies with the most diverse encryption technologies to protect the stored data as an example. Normally, the data is encrypted or decrypted every time you access the data (write or read) because external systems cannot work with the encrypted data. With the use of FPE, you no longer need this complex and cpu-intensive encryption technology that only works within this database system itself. The same applies to the data silos of all kinds that exist in almost every company. And also across network-boundaries, which extends coverage to any cloud applications.

Exactly what GDPR aka EU-DSGVO require from companies - a continuous protection of sensitive data even beyond the company's borders and complete control by the company.

We and the specialists of the 'Big Data Security Alliance' will be happy to provide you with further information and advice!
Ask us your question here or give us a call.