CISO Guide: Top Four Data Security Strategies for 2023 and When to Use Them
With each new year, there is a chance to start fresh. We can return to our projects with fresher eyes after the holiday break and come back with new ideas of what we want to work on within the next 12 months. The world of cybersecurity is no different. Each year, attackers find novel ways to claim data that does not belong to them. This means organizations must also advance to not fall victim to the latest trends of cyber criminals.
The Four Common Data Security Strategies
As CISOs and security teams deal with the alarming growth in both the frequency and sophistication of cyberattacks, we see four common data security approaches. Many organizations use one, at most, two of these to organize and prioritize their security initiatives for the year. Going into 2023, these are what we are seeing, in order of popularity:
- Compliance-led security
- Customer-led security
- Platform-led security
- Developer-led security
The rest of this article outlines the primary drivers and scope for each approach and how we see the practitioners plan for the year ahead.
1. Compliance-led security: Most Popular Approach Regardless of Size of Organization
Compliance-led security is still the most popular approach. With compliance being a board-level mandate and recent high-profile data breaches lending visibility, CISOs are finding success in gaining both budget and organizational support.
Based on what we have seen going into the year, compliance-led security is resulting in (at least) four types of projects:
Tokenization with a modern twist
PCI, HIPAA and similar well-understood regulations have always been a driving force behind tokenization projects. With new rules from the FTC as well as the ongoing developments in data privacy regulations, CISOs are looking to find more ways to leverage tokenization or other similar solutions. Tokenization has traditionally been the strongest but also the most restrictive security control with organizations losing the use of underlying data. For this reason, it has been restricted to data that does not need to be subject to in-depth analytics such as payment card data or SSNs, etc. However, with all the advancements in data security over the last few years, CISOs can now utilize modern or next-gen tokenization rather than traditional restrictive solutions. Next-gen tokenization (disclosure: this is a popular offering from Portal26) allows users rich search and analytics without detokenization or decryption. This means enterprises can protect data beyond payment cards without losing processing or analytics capability. Next-gen tokenization also offers a whole new class of capabilities for enterprises which is the ability to stand up applications built on top of data platforms that offer tokenization as a native capability. This means that additional work does not need to be performed to instruct the data platform to tokenize certain fields and the application retains the full use of the underlying data without the security and privacy risk that would have previously existed. Needless to say, this simplifies compliance and dramatically improves coverage.
Explore Portal26’s Next Gen Tokenization Solution Today
Many CISOs are teaming up with CDOs in their organizations to come up with a sensible strategy around keeping data secure and private while supporting advanced analytics. AI/ML typically requires close to real data both for training models and also needs a steady stream of ongoing data to manage drift. Many CISOs are worried about the inherent conflict between analytics objectives and data security as most data sets are technically in violation of multiple regulations with nothing but access control between them and bad actors. However, CISOs and security leaders can now leverage encrypted analytics solutions (disclosure: this is a popular offering from Portal26) that enable a wide array of analytics capabilities without the use of clear text. Where clear text data is required by models, these solutions can maintain anonymized data pipelines that are controlled by private data release policies and can implement granular privacy policies in real time.
Explore Portal26’s Encrypted Analytic Solutions
Data Privacy Enforcement
Data Residency, ITAR, and other geo-based regulations
Remote teams have been driving cost efficiencies for a long time now and with the pandemic, this has become even more engrained in enterprises of all sizes. With geo dispersion, however, CISOs now face data residency and usage questions that were not previously on their radar. We are seeing several initiatives that are driven by this type of compliance. Security teams are faced with either rearchitecting their data repositories to segment data by geo, or those that have access to a more modern tool kit are looking into encryption and key-based approaches to the problem (disclosure: this is a popular offering from Portal26). These solutions can enforce geo-based data segmentation using distinct encryption keys and this can be implemented either at the index (or table) level or in some cases, even in completely commingled datasets. This, combined with full-featured key management utilizing multiple geographically distributed key vaults, provides an excellent answer for this type of compliance and does so at a fraction of the cost of traditional solutions.
2. Customer-Led Security: Popular for B2B SaaS Companies
The second most popular data security approach going into 2023 is customer-led security.
As more and more companies of all sizes are adopting the SaaS cloud model, we are seeing SaaS customers be much more demanding of strong data security and privacy controls. No SaaS company wants to be responsible for compromising the data of their customers and this is rising to become an important driver for security initiatives.
At the end of the day, though, what makes this one of the more popular motivations for data security going into this year is that it has the strong support of the Sales leadership. Data security has become a competitive differentiator, a deal blocker, and a cost item – all at the same time. Large customers will not sign up unless the SaaS vendor can prove a base level of data security. Stronger and more provable security can steal customers away from less secure competitors, and if proper security is not provided on a shared platform, the SaaS vendor can end up running dedicated environments per customer, which can be quite expensive. Modern data security platforms (disclosure: this is a popular offering from Portal26) offer options that are both cost-efficient as well as easy to deploy.
This year we are seeing CISOs budget BYOK/HYOK (bring/hold your key) along with encryption-in-use and encryption-at-rest, to meet customer demands for strong security. This approach puts the ultimate security of the data back in the hands of the customers themselves. Properly implemented approaches ensure that the SaaS vendor does not have access to customers’ data and a compromise of the vendor will not compromise customer data.
Explore Portal26’s BYOK Solutions
3. Platform-led security: Popular With Technical Security Leaders
Security leaders come in many flavors and each one is strong in its own way. Technical leaders tend to know their data landscape very well and as a result, they support platform-focused initiatives. While this is not the most common type of initiative, we are seeing some platforms/repositories become visible enough to warrant security and privacy projects centered around them.
Over the last year and a half, there have been so many high-profile data breaches and cyberattacks where the compromised platforms were part of the news. This has lifted the visibility of underlying data stores and repositories beyond what it used to be previously. Also, in certain compliance and customer-led data security initiatives, specific platforms (or repositories) end up being highlighted by auditors or internal reviewers and those also end up as independent data security initiatives.
Here are some of the popular ones we are seeing going into 2023:
Granular Data Security for Object Stores
An exceedingly large number of organizations leverage AWS S3, Azure Blob, Google Cloud Storage, etc. both directly as well as behind applications. These data repositories provide very versatile storage, supporting both structured as well as unstructured data, and can be leveraged across a wide spectrum of use cases, from the individual app back ends to full-blown data lakes. While all these come with native data security capabilities, savvy CISOs are realizing that attackers seldom take the path of attacking via the cloud platform itself and more often opt for compromise via user or admin credentials from the enterprise side. Modern data security solutions offer enterprises with app-style encryption (disclosure: this is a popular offering from Portal26) that can be applied before data landing in the object store, thus making it resistant to admin compromise and direct access. Encryption can be extremely granular, landing at the collection, object, or field level, and keys can be held by individual data owners external to both the cloud provider as well as the enterprise (if required). Further, unstructured data can be searched without decryption, and this provides an extra level of security. Finally, data leaving the repository can be released according to rich and granular privacy policies. This simplifies privacy enforcement for all dependent applications and takes the work out of app-level privacy compliance.
Explore Portal26’s Data Security For Object Stores
Securing File Shares from Ransomware Attacks
Last year saw an often repeated ransomware attack pattern where attackers got behind the firewall, moved laterally until they obtained admin access to file servers (or file shares), and exfiltrated documents. Lost data included traditional PII, intellectual property, designs, images, videos, etc. With companies producing more data than can be reasonably scanned, CISOs have a big challenge staying ahead of this one and going into this year we are seeing several initiatives aimed at cracking the security problem for these types of repositories. DLP has mixed success and a more efficient solution is being sought (stand-alone or in combination with DLP) for a baseline level of protection against large-scale data exfiltration. Modern data security solutions (disclosure: this is a popular offering from Portal26) now offer file server (or file share) security where data is encrypted before it is written to the file share and this encryption takes place using external keys. Keys can be as granular as desired and be mapped at the company, department, group, or file level (or more). Access can be controlled through existing RBAC with key-based controls as an additional layer of security. Data security can be set up to be completely transparent to the end-user, or certain files can be set up to trigger additional verification. Going into this year, we are seeing CISOs target user unstructured data to secure it against large-scale exfiltration during ransomware attacks. Similar use cases are being implemented for traditional filer servers as well as cloud file shares on various cloud platforms.
Secure File Shares With Portal26 Today
Securing Data Inside Enterprise Search Platforms
In the last two years thousands of companies have lost data from misconfigured search and clusters (e.g. Elasticsearch). While misconfigured data stores are a common vulnerability, what makes enterprise search platforms most at risk is that they cannot keep data encrypted in any meaningful way. Search algorithms traditionally require clear text data and so any access through the search platform will always yield (millions of records) in clear text. Encryption at rest in these platforms does not offer any real protection since attacks typically take place through the search platform itself. The good news is that CISOs now have access to encrypted search solutions (disclosure: this is a popular offering from Portal26). These solutions offer search platform plugins that can transparently intercept data and encrypt it before it gets written to the search index. The plugins then facilitate fully encrypted, full-featured, full-text search without data decryption. Queries return encrypted and can then be processed to clear or private data formats based on policies. Attackers with full access to the search platform would not see clear text data in side indexes, in memory, or in query results.
4. Developer-led security: Popular With Product Company Security Leaders
Developer-led security was a popular “buzz phrase” for 2022 garnering many investment dollars from VCs and a lot of attention from startups looking to differentiate their approach to data security. From a CISO perspective, we are not seeing this as much of a driver for initiatives except for product companies that deal in a lot of sensitive data.
Going into this year we are seeing two types of initiatives in this area:
Natively secure app development
Modern data security solutions ( allow developers to leverage rich data security capabilities via APIs and bake them into the application itself. Secure and private data usage becomes inherent to the application. If implemented properly, these apps become a tough target for attackers.
Natively secure backend
The easiest answer for data security has always been to build it into the database and most security leaders advocate using all available database security features. CISOs know how hard it is to bolt on security. It can never be as efficient as having it built right in. The good news is that data security providers now offer ) secure backends on which companies can build their applications. These contain all types of data security and privacy controls baked into the datastore itself. Developers can select from a wide range of field-level controls and apply various types of encryption, tokenization, masking, redaction, format-preserving encryption, and so on.. without extra work and without losing the use of the underlying data. These types of data stores are ideal for greenfield development initiatives.
No matter what your data security strategy is, the control toolset has evolved sufficiently in the last few years to give you a real boost. You can select from a wide variety of advanced controls to improve your coverage, reduce blast radius and go so far as to make certain classes of attacks irrelevant. These controls are well-recognized by analysts and CISOs alike.
In 2022, Portal26, which offers the industry’s richest data security platform with a full suite of data security controls, including encrypted search and all nine traditional controls, was recognized by the industry, analysts, and CISOs over 16 times. Portal26 is being utilized by CISOs of public and regulated enterprises, carried by global resellers, and increasingly recommended by consulting partners and trusted advisors.