In the wake of a recent spate of cybersecurity breaches, the practice of data-centric security has received renewed attention from business leaders concerned about the integrity of critical data. As defined by a PKWare white paper, data-centric security focuses on protecting data itself, rather than the systems that contain it.1 Central to the concept of data-centric security is the notion that the systems established to store and guard data sometimes crumble in the face of cyberattacks.1 Given that all manner of data storage systems have shown themselves to be vulnerable, it is hard to argue with this foundational principle. Rather than offering prescriptions for the improvement of systems, then, data-centric security places safeguards around the data itself – safeguards which are automatically applied and regularly monitored to ensure data security.1
Data-centric security strategies have several key advantages over the “network-centric” models currently employed by many firms.2 As discussed, data-centric strategies account for the proclivity of security networks to succumb to cyberattacks by securing the data itself. In addition, because security measures are built into data, “security travels with the data while it’s at rest, in use, and in transit,” a characteristic of data-centric strategies that facilitates secure data sharing and allows firms to move data from system to system without having to account for inevitable variations in security infrastructure.3 Moreover, data-centric security allows for easy access to data (a cornerstone of productivity in any firm) without compromising data security. In fact, Format-Preserving Encryption (FPE) – the specific type of encryption employed by many data-centric strategies4 – “maintains data usability in its protected form,” striking a balance between security and accessibility.5 Clearly, data-centric strategies provide stronger, more all-encompassing, and eminently manageable modes of data protection.
But perhaps the most important aspect of data-centric security is its essential role in any security regime compliant with New York State cybersecurity regulations. In fact, as the data security company Vera has noted, “the new rules are focused not just on protecting information systems but on securing, auditing and the disposition of data itself.”6 New York’s determination to advance data-centric security is evident in certain provisions of the recent cybersecurity regulation, the most important of which mandate that companies “restrict access privileges not only to systems but to the data itself.”6 Moreover, New York State’s cybersecurity regulations reflect the priorities of data-centric security because they require firms to “implement an audit trail system to reconstruct transactions and log access privileges,” a system which allows the security of individual pieces of data to be monitored automatically.6 New York regulators have already recognized the benefits of data-centric security strategies. Now, with the assistance of legal experts well-versed in cybersecurity compliance, companies concerned about their data security can too.