Data-centric security is a general concept of software and IT architecture where the data are at the center of the system and prevail over application and network.
The data-centric approach claims that most problems linked to the complexity of IT architecture in large organizations are caused by the centric role of applications and networks. Using this approach, these problems can be solved by putting the data at the core.
For instance, there are several attempts to push forward the data-centric model, including the “Data-Centric Manifesto.”
In such a model, applications are considered as “ephemeral,” while data are considered the real assets of the company. Data must not rely on a specific application to be interpreted, and therefore, must be described by open formats.
Access to data in such a model is under the responsibility of a middleman service or a layer which has sole authority to grant access or not. In other terms, data are always more or less in an abstract secure vault where they can be “visited” by applications.
In a pure data-centric architecture, data is at the start and at the top, then applications and network architectures are created based on the initial data architecture.
Many large organizations are “data-driven,” meaning that they value data and create a culture of preserving and caring about the data they own. Still, they may not be data-centric.
In the banking industry, and especially with banks themselves, the data-centric model is becoming increasingly popular. Often, non-data-centric architecture involves many applications running on different places of a network, and accessing data in various locations, such as databases.
An infrastructure equipped with databases (the vast majority of infrastructures) is not per se a data-centric architecture. A data-centric architecture is, therefore, a database-centric architecture where databases are at the center of the system, and are largely autonomous in terms of functionality, and do not rely on applications.
Besides, not all data can be stored in databases; for example, data-in-motion or data-in-use.
The main reason the data-centric architecture is becoming more popular in the banking industry is that it allows greater security over the data. Security has been a fundamental problem since data breach is a major security risk in that industry.
The Data-Centric Security Problem
The data-centric security model, as a data-centric model focused on security, emphasizes the security of the data over the security of applications and network servers.
In that model, one must be able to understand what sort of data must be secured by the system. The data must be managed and protected. Additionally, data must also be constantly monitored to detect eventual problems.
Two technologies are fundamental here: encryption and data masking (or tokenization).
Obviously, the data-centric security model relies on the efficient and permanent encryption of the data. These data may be data-at-rest, data-in-motion, or data-in-use.
Therefore, strong encryption is the only solution to solve the data-centric security problem. However, this involves several challenges, like for example, managing the encryption keys since the data may involve dozens of millions different records, and thousands or more data encryption keys.
How Utimaco ESKM Can Help Solving the Data-Centric Security Problem
Utimaco ESKM (Enterprise Security Key Management) is a key management solution that can efficiently manage data-at-rest encryption. For instance, it is a proven solution for the encryption of cardholder data or hospital patients records.
ESKM is compatible with non-stop volume encryption, which allows continuous replication of data from one site to another. ESKM is compatible with the following client encryption systems:
- HPE NonStop
- HPE Smart Array Secure Encryption (Proliant)
- HPE StoreEver Tape Library
- HPE StoreServe 3PAR
- HPE StoreOnce
- HPE XP
- HPE SimpliVity/Hyper Converged
- HPE Helion (OpenStack Barbican)
- HPE Nimble
- Micro Focus Connected MX Backup/Recovery
- Voltage Email and Big Data Encryption System
Here is a list of the data that ESKM can help encrypt in a data-centric solution:
- Payment cardholder data (CHD)
- Electronic health records (EHR)
- Personally identifiable information (PII)
- Intellectual property (IP)
- Confidential business records
- Service provider hosted data
- Defense and classified information
An Example of Integration of ESKM in a Data-Centric Architecture
The following real use case example demonstrates how ESKM can enforce the creation of a data-centric architecture.
In this example, a major healthcare IT provider needed to protect sensitive patient information, including EHR (Electronic Health Record), PHI (Protected Health Information), and PII (Personally Identifiable Information). Compliance with the HIPAA (Health Insurance Portability and Accountability Act) had to be respected.
Data were mirrored between multiple datacenters with around 10,000 servers and more than 250,000 disks per datacenter. In order to realize a data-centric secure architecture, the data had to be ciphered on each server, and keys had to be separated from data. The solution was to integrate ESKM servers in the system.
As a result, remote key management separated keys from the sensitive data, and allowed continuous encryption of the data in a scalable way (for example, ESKM’s thousands of server clients).
Conclusion
Utimaco ESKM can help construct a full data-centric architecture by allowing encryption key management in a smart and scalable way.
Read more about the Utimaco Atalla AT1000 Hardware Security Module (HSM), a payments security module for protecting sensitive data and associated keys. Or access more articles on our blog.
About the author
Martin Rupp is a cryptographer, mathematician and cyber-scientist. He has been developing and implementing cybersecurity solutions for banks and security relevant organizations for 20 years. Martin currently researches the application of Machine Learning and Blockchain in Cybersecurity.