Data Security in the Era of Sprawl: A Data-Centric Approach to Security and Compliance
In this article
Article written by Reginald Joseph of WWT and James Venuto of IBM.
In today's landscape of ubiquitous data sprawl, managing sensitive data scattered across hybrid and multi-cloud environments is enormously complex. Optimizing robust data protection strategies has become imperative, with average data breaches costing $4.45 million. WWT's real-world industry experience, alongside IBM's market-leading Guardium suite, offers a unified, data-centric solution to critical security and compliance challenges.
The Rapidly Intensifying Threat Landscape
Modern workspaces and accelerated cloud adoption have strained legacy security models. With organizational data pooled in multiple clouds, perimeter-based security controls fail to govern vast amounts of potentially exposed information. Data-centric security woven into a zero-trust approach is instrumental to overcoming today's challenges.
Implications of Data Sprawl
Data sprawl refers to the unbridled proliferation of data across on-prem, cloud, and edge environments. This lack of centralized visibility and control makes consistent security difficult. As siloed stores of data expand rapidly, organizations need help applying policies, managing risk, and preventing breaches across their growing attack surface. Without robust unified governance, threats will inevitably intensify amid increasing complexity.
What is Data-Centric Security?
According to the National Institute of Standards and Technology (NIST) in Data Classification Practices: Facilitating Data-Centric Security Management | CSRC, data-centric security management is part of a zero-trust approach to enhance data protection regardless of where it resides or whom it is shared with. Data-centric security can only meet the necessary protections if organizations know what data they have, its characteristics, and what security and privacy requirements they need to achieve.
For organizations that rely heavily on data, having strong data security is no longer optional – it's essential. A report by McKinsey points out that many current security measures are either too generic or not comprehensive enough, failing to address the unique needs of different types of data. This lack of customization is problematic because it leaves specific data vulnerable. However, the approach to data security is rapidly changing. Driven by the increasing number of costly and damaging data breaches and the growing demands of data protection laws, organizations recognize the need for more tailored security strategies. By 2025, McKinsey predicts that organizations will shift their mindset so data security, privacy, and ethics are treated as required competencies, according to The data-driven enterprise of 2025 | McKinsey
The pressure is undoubtedly on. Under the General Data Protection Regulation (GDPR), fines could reach 4% of your annual revenue. Similarly, a new SEC law requires you to report the material risk of a breach in only four days, or you could face fines, legal risk threats, and more. And cyber attacks continue to increase in sophistication. Given these and other regulations, a data-centric security strategy will be necessary to stay compliant in the future.
9 Steps to Developing a Data-Centric Approach to Security
1. Adopt a Data-Centric Security Mindset
Fundamentally, organizations must shift thinking to a data-centric security paradigm. Indeed, data-driven models will only emerge once this mental shift occurs across teams.
While most organizations grasp threats, network security, and data protection concepts, fully internalizing a data-centric approach has yet to catch up. For example, zero-trust principles are increasingly adopted but often only partially. Most secure the perimeter but fail to revalidate sensitive data access at inner layers.
Achieving robust data security requires securing from the inside out - classifying then protecting data starting at the source, across each interaction within complex IT environments.
Data-centric strategies involve classifying data and applying safeguards to prevent unwanted access or distribution.
This shift requires a comprehensive set of capabilities from new kinds of technologies. Offerings like IBM's Guardium Suite were created with this in mind. In the Data-Centric Security Market Size And Share Report, 2030, the data-centric security market is predicted to grow from $5.27B in 2023 at 24% CAGR to $24B in 2030.
To make the shift to a fully data-centric security approach, you need to have the capability to:
- manage data security from a central location and reach out to various public clouds
- encrypt data
- manage the keys and rotate them in an automated way
- and tie all this into your other capabilities so you can manage risks across all of your data.
Data-centric security technology has to block unauthorized data distribution as well as any attempt to steal or leak sensitive or confidential information. It also has to layer across existing systems.
No matter the technology, you can't effectively manage compliance or security risks if you don't completely understand your data.
2. Creating a diverse team with expertise in data management, security, compliance, and risk is crucial for implementing and continually improving data-centric security models.
This team should include professionals from various departments, ensuring multiple perspectives on how data is used and protected. Such a diverse team is vital when transitioning to a data-centric security approach, as it helps to address the concerns and requirements of all key players in your organization. With their varied insights, this team is critical in keeping your security strategy up-to-date and aligned with your organization's evolving needs.
Consider working with an experienced partner who will develop a deep understanding of your organization, industry, and your current and future needs.
3. Understand your architecture.
While assessing your data infrastructure may seem basic, it is crucial to understand what you have in place. Key questions include:
- What databases are currently used (e.g., SQL), and how are they protected?
- Is data stored on-prem, in the cloud, or both?
Real-time threat monitoring and visibility are vital to continually providing the actionable insights needed to improve security protections. The IBM Guardium solution offers robust analytics across environments.
The goal is to identify any visibility gaps that put sensitive data at risk. Taking time to map and understand the architecture enables ongoing data-centric security efforts.
4. Discover where your data is and classify it.
Ideally, data is classified based on its level of sensitivity, where it's stored and shared, and what governance controls apply. Although more work upfront, granular classification will serve long-term security efforts.
It would help if you also had complete visibility into "shadow" data copies - like extracts in spreadsheets or cloud storage buckets. Even duplications of confidential data carry risks.
Finally, analyze data access across your employee base and systems. Understanding data locations, users, and existing protections is foundational for improving policies.
5. Understand how you are protecting your data, your current security policies, and your compliance policies, including data governance
Auditing your data protection measures involves asking critical questions, including:
- How are top-level data stores managed and secured? What processes handle breakdowns?
- For complex environments, is encryption applied comprehensively?
- For custom databases with sensitive data, do protections include vulnerability management?
- Is user and process activity monitored, real time?
- Are unstructured data files discovered and classified across systems?
The key focus should be identifying any gaps in:
- Centralized data governance
- Encryption scopes
- Access controls and activity monitoring
- Visibility into security blind spots
Evaluating current security policies and controls will uncover risks and areas needing improvement. The assessment must dig deeper than surface-level protections.
6. Analyze Risks and Priorities
Fully analyzing your existing data infrastructure and policies will illuminate security gaps and areas for improvement. Conduct a risk assessment covering factors such as:
- Data protection measures currently in place
- Scale of sensitive data collections
- Threat models based on visibility gaps
- Potential financial impact of breaches
Mapping program maturity against institutional risk appetite makes gaps actionable. For example, if compliance audits show ad-hoc data classification despite zero tolerance for non-compliance, data discovery should become a priority.
This risk analysis sets the agenda by revealing where additional data security controls or oversight are imperative given organizational priorities and tolerance thresholds.
7. Create a Data-Centric Security Plan
Security teams can develop a tailored data-centric security plan by comprehensively understanding and mapping organizational data and architecture. This plan should:
- Align to risk analysis insights
- Unify policies and controls based on data types / sensitivity
- Apply uniform protections across environments
- Address previous plan gaps
The goal is to implement centralized, unified governance scaled to the entire data infrastructure. Robust platforms like Guardium facilitate attaching appropriate controls at the data level across systems.
8. Implement Data-Centric Security
The IBM Guardium suite provides a robust data security solution with capabilities to:
- Discover and classify sensitive information across complex environments
- Maintain visibility into replicated "shadow" data
- Unify protection policies enforcing encryption, masking, and access controls
- Identify vulnerabilities enabling security teams to remediate risks actively
- Centralize management even for dispersed, hybrid ecosystems
9. Try the solution before you buy it.
WWT has an active Guardium environment in the Advanced Technology Center (ATC) connected to the SIM. The integrated solution is ready to go for you to try yourself.
In summary
As data complexity continues intensifying, organizations must seek integrated platforms purpose-built for the challenges of sprawl. The WWT and IBM partnership delivers end-to-end data-centric solutions that establish unified protection, provide centralized control of security policies, and ultimately help organizations avoid the steep consequences of compromise in the modern age.