CISOs Guide: Top Four Data Security Strategies for 2023, When to Use Them

Happy New Year to all and welcome to the first edition of my first newsletter. As a data security startup founder I find myself to be fortunate to be in the right place at the right time. What we do at Titaniam and the problems we seek to solve are extremely relevant and this has afforded me the opportunity to meet with hundreds of security leaders over the last couple of years. 2022 was a phenomenal year for learning about this market as data security was more visible this year than it has ever been before. At Titaniam we have worked hard to incorporate everything CISOs taught us this year into our own strategy for 2023. This newsletter is my way of sharing key learnings with the broader community, including CISOs who always love to know how their peers are approaching common challenges.

This edition is a foundational piece that lays out the various data security approaches we are seeing going into 2023 along with drivers, controls, and solutions. Please feel free to share feedback on content, format and also contact me if you believe Titaniam can help with your data security initiatives in any way.

I. Four Common Data Security Strategies

As CISOs and security teams deal with the alarming growth in both the frequency and the sophistication of cyberattacks, we are seeing four common approaches to data security. Many organizations use one, at most two of these to organize and prioritize their security initiatives for the year. Going into 2023, these are what we are seeing, in order of popularity:

• Compliance led security
• Customer led security
• Platform led security
• Developer led security

The rest of this article briefly outlines primary drivers and scope for each of these approaches and what we are seeing practitioners plan for this year.

II. Compliance led security: Most Popular Approach Regardless of Size of Org

Compliance led security is still the most popular approach. With compliance being a board level mandate and recent high profile data breaches lending visibility, CISOs are finding success in gaining both budget as well as organizational support.

Based on what we have seen going into the year, compliance led security is resulting in (at least) four types of projects:

1. Tokenization with a modern twist: PCI, HIPAA and similar well understood regulations have always been a driving force behind tokenization projects. With new rules from the FTC as well as the ongoing developments in data privacy regulations, CISOs are looking to find more ways to leverage tokenization or other similar solutions. Tokenization has traditionally been the strongest but also the most restrictive security control with orgs basically losing the use of underlying data. For this reason it has been restricted to data that does not need to be subject to in-depth analytics such as payment card data or SSNs etc. However, with all the advancements is data security over the last few years, CISOs can now utilize modern or next gen tokenization, rather than traditional restrictive solutions. Next gen tokenization (disclosure: this is a popular offering from Titaniam) allows users rich search and analytics without detokenization or decryption. This means enterprises can protect data beyond payment cards without losing processing or analytics capability. Next gen tokenization also offers a whole new class of capabilities for enterprises which is the ability to stand up applications built on top of data platforms that offer tokenization as a native capability. This means that additional work does not need to be performed to instruct the data platform to tokenize certain fields and the application retains the full use of the underlying data without the security and privacy risk that would have previously existed. Needless to say, this simplifies compliance and dramatically improves coverage.
2. Encrypted Analytics: Many CISOs are teaming up with CDOs in their orgs to come up with a sensible strategy around keeping data secure and private while supporting advanced analytics. AI/ML typically requires close to real data both for training models and also needs a steady stream of ongoing data to manage drift. Many CISOs are worried about the inherent conflict between analytics objectives and data security as most data sets are technically in violation of multiple regulations with nothing but access control between them and bad actors. However, CISOs and security leaders can now leverage encrypted analytics solutions (disclosure: this is a popular offering from Titaniam) that enable a wide array of analytics capabilities without the use of clear text. Where clear text data is required by models, these solutions can maintain anonymized data pipelines that are controlled by private data release policies and can implement granular privacy policies in real time.
3. Data Privacy Enforcement: When GDPR came out a few years ago, it set forth a spate of activity most of which was focused on figuring out what data was subject to the regulation and building the plumbing for data subject consent and rights. As the US followed suit, these projects became popular and pervasive. As the years have progressed, organizations have found decent success on the data classification and consent management side and very little success on the enforcement side of the house. Knowing how much private data exists in the org and being informed about data subject requests has not made the work of actually enforcing privacy policy easy. Even a small to medium size enterprise has private data scattered across tends of applications and data stores and it is just not easy to implement privacy policy in an efficient way. This year, we are seeing CISOs take on data privacy enforcement via a series of privacy enforcement technologies. Unlike prior years, CISOs now have access to broad spectrum data security platforms (disclosure: this is a popular offering from Titaniam) that can enforce a very large number of private data formats in one go. Modern data security platforms can combine all known privacy enforcement techniques (i.e. encryption, format preserving encryption, various types of data masking, various types of tokenization, redaction, hashing, anonymization etc.) into one set of field level policy and enforce it centrally across apps and data repositories. Unlike traditional tools that existed prior, these solutions can deal with both structured and unstructured data across multiple types of apps and data stores.
4. Data Residency, ITAR and other geo based regulations: Remote teams have been driving cost efficiencies for a long time now and with the pandemic, this has become even more engrained in enterprises of all sizes. With geo dispersion, however, CISOs now face data residency and usage questions that were not previously on their radar. We are seeing several initiatives that are driven by this type of compliance. Security teams are faced with either rearchitecting their data repositories to segment data by geo, or those that have access to a more modern tool kit are looking into encryption and key based approaches to the problem (disclosure: this is a popular offering from Titaniam). These solutions can enforce geo based data segmentation using distinct encryption keys and this can be implemented either at the index (or table) level or in some cases even in completely commingled datasets. This, combined with full featured key management utilizing multiple geographically distributed key vaults, provides an excellent answer for this type of compliance, and does so at a fraction of the cost of traditional solutions.

II. Customer Led Security: Popular for B2B SaaS Companies

The second most popular data security approach going into 2023 is customer led security. As more and more companies of all sizes are adopting the SaaS cloud model, we are seeing SaaS customers be much more demanding of strong data security and privacy controls. No SaaS company wants to be responsible for compromising the data of their customers and this is definitely rising to become an important driver for security initiatives. At the end of the day, though, what makes this one of the more popular motivations for data security going into this year is that it has the strong support of the Sales leadership. Data security has become a competitive differentiator, a deal blocker, and a cost item - all at the same time. Large customers will not sign up unless the SaaS vendor can prove a base level of data security. Stronger and more provable security can steal customers away from less secure competitors, and if proper security is not provided on a shared platform, the SaaS vendor can end up running dedicated environments per customer which can be quite expensive. Modern data security platforms (disclosure: this is a popular offering from Titaniam) offer options that are both cost efficient as well as easy to deploy. This year we are seeing CISOs budget BYOK/HYOK (bring/hold your own key) along with encryption-in-use and encryption-at-rest, to meet customer demands for strong security. This approach puts the ultimate security of the data back in the hands of the customers themselves. Properly implemented approaches ensure that the SaaS vendor does not have access to customers data and a compromise of the vendor will not compromise customer data.

III. Platform led security: Popular With Technical Security Leaders

Security leaders come in many flavors and each one is strong in their own way. Technical leaders tend to know their data landscape very well and as a result they support platform focused initiatives. While this is not the most common type of initiative, we are seeing some platforms/repositories become visible enough to warrant security and privacy projects centered around them. Over the last year and a half there have been so many high profile data breaches and cyberattacks where the compromised platforms were part of the news. This has lifted the visibility of underlying data stores and repositories beyond what it used to be previously. Also in certain compliance and customer led data security initiatives, specific platforms (or repositories) end up being highlighted by auditors or internal reviewers and those also end up as independent data security initiatives. Here are some of the popular ones we are seeing going into 2023.

1. Granular Data Security for Object Stores: An exceedingly large number of organizations leverage AWS S3, Azure Blob, Google Cloud Storage, etc. both directly as well as behind applications. These data repositories provide very versatile storage, supporting both structured as well as unstructured data, and can be leveraged across a wide spectrum of use cases, from individual app back ends to full blown data lakes. While all these come with native data security capabilities, savvy CISOs are realizing that attackers seldom take the path of attacking via the cloud platform itself and more often opt for compromise via user or admin credentials from the enterprise side. Modern data security solutions offer enterprises with app style encryption (disclosure: this is a popular offering from Titaniam) that can be applied prior to data landing in the object store, thus making it resistant to admin compromise and direct access. Encryption can be extremely granular, landing at the collection, object, or field level, and keys can be held by individual data owners external to both the cloud provider as well as the enterprise (if required). Further, unstructured data can be searched without decryption, and this provides an extra level of security. Finally, data leaving the repository can be released according to rich and granular privacy policies. This simplifies privacy enforcement for all dependent applications and takes the work out of app level privacy compliance.
2. Securing File Shares from Ransomware Attacks: Last year saw an often repeated ransomware attack pattern where attackers got behind the firewall, moved laterally until they obtained admin access to file servers (or file shares), and exfiltrated documents. Lost data included traditional PII, intellectual property, designs, images, videos etc. With companies producing more data than can be reasonably scanned, CISOs have a big challenge staying ahead of this one and going into this year we are seeing a number of initiatives aimed at cracking the security problem for these types of repositories. DLP has mixed success and a more efficient solution is being sought (stand alone or in combination with DLP) for a baseline level of protection against large scale data exfiltration. Modern data security solutions (disclosure: this is a popular offering from Titaniam) now offer file server (or file share) security where data is encrypted before it is written to the file share and this encryption takes place using external keys. Keys can be as granular as desired and be mapped at the company, department, group, or file level (or more). Access can be controlled through existing RBAC with key based controls as an additional layer of security. Data security can be set up to be completely transparent to the end user or certain files can be set up to trigger additional verification. Going into this year, we are seeing CISOs target user unstructured data to secure it against large scale exfiltration during ransomware attacks. Similar use cases are being implemented for traditional filer servers as well as cloud file shares on the various cloud platforms.
3. Securing Data Inside Enterprise Search Platforms: In the last two years thousands of companies have lost data from misconfigured search and clusters (e.g. Elasticsearch). While misconfigured data stores are a common vulnerability, what makes enterprise search platforms most at risk is that they cannot keep data encrypted in any meaningful way. Search algorithms traditionally require clear text data and so any access through the search platform will always yield (millions of records) in clear text. Encryption at rest in these platforms does not offer any real protection since attacks typically take place through the search platform itself. The good news is that CISOs now have access to encrypted search solutions (disclosure: this is a popular offering from Titaniam). These solutions offer search platform plugins that can transparently intercept data and encrypt it before it gets written to the search index. The plugins then facilitate fully encrypted, full featured, full text search without data decryption. Queries return encrypted and can then be processed to clear or private data formats based on policies. Attackers with full access to the search platform would not see clear text data in side indexes, in memory or in query results.

IV. Developer led security: Popular With Product Company Security Leaders

Developer led security was a popular "buzz phrase" for 2022 garnering many investment dollars from VCs and a lot of attention from startups looking to differentiate their approach to data security. From a CISO perspective we are not seeing this as much of a driver for initiatives with the exception of product companies that deal in a lot of sensitive data. Going into this year we are seeing two types of initiatives in this area:

1. Natively secure app development: Modern data security solutions (disclosure: this is one of the offerings from Titaniam) allow developers to leverage rich data security capabilities via APIs and bake them into the application itself. Secure and private data usage becomes inherent to the application. If implemented properly, these apps become a tough target for attackers.
2. Natively secure backend: The easiest answer for data security has always been to build it into the database and most security leaders advocate to use all available database security features. CISOs know how hard it is to bolt on security. It can never be as efficient as having it built right in. The good news is that data security providers now offer (disclosure: this is one of the offerings from Titaniam) secure backends on which companies can build their applications. These contain all types of data security and privacy controls baked into the datastore itself. Developers can select from a wide range of field level controls and apply various types of encryption, tokenization, masking, redaction, format preserving encryption, and so on.. without extra work and without losing the use of the underlying data. These types of data stores are ideal fro greenfield development initiatives.

V. Conclusion: No matter what your data security strategy is, the control toolset has evolved sufficiently in the last few years to give you a real boost.

You can select from a wide variety of advanced controls to improve both your coverage, reduce blast radius and go so far as to make certain classes of attacks irrelevant. These controls are well recognized by analysts and CISOs alike. In 2022, Titaniam, who offers the industry's richest data security platform, with a full suite of data security controls including encrypted search and all 9 traditional controls, was recognized by industry, analysts, and CISOs over 16 times. Titaniam is being utilized by CISOs of public and regulated enterprises, carried by global resellers, and increasingly recommended by consulting partners and trusted advisors.

About Titaniam: Titaniam provides enterprises and SaaS vendors with a full suite of data security/privacy controls in a single, enterprise grade solution. This includes highly advanced options such as encryption-in-use that enables encrypted search and analytics without decryption, and also traditional controls such as tokenization, masking, various types of encryption, and anonymization. Titaniam also offers BYOK/HYOK (bring/hold your own key) for data owners to control the security of their data. If attacked, Titaniam minimizes regulatory overhead by providing evidence that sensitive data retained encryption. Titaniam’s interoperable modules can be combined to support hundreds of architectures across multiple clouds, on-prem, and hybrid environments. Titaniam provides the equivalent of 4+ categories of solutions making it the most effective, and economical solution in the market. Titaniam is featured by Gartner, IDC, and TAG Cyber and has won coveted industry awards e.g. SINET16 and at RSAC2022.?For more information visit Titaniam here or schedule a demo with us here.