How to evolve your organization into a data-centric security architecture

December 21, 2021  |  Theodoros Karasavvas

This blog was written by an independent guest blogger.

Defense strategies have evolved as hackers have changed their schemes, and one new approach companies are putting into practice for their security plan is data-centric security. 

Older security models focused on network infrastructure and hardware security controls while data-centric security concentrates on the data itself. This means data should be secure at all points regardless of where it is stored, processed, or where it is in transit. It also encompasses the zero-trust-network-access (ZTNA) concept. 

ZTNA limits access to data based on user privileges rather than granting each user access to company details. Users may also need to re authenticate themselves if they choose to switch tasks or have been inactive for a set amount of time. How you choose to authenticate users is up to you.

Implementing data-centric security

Whether you are starting from scratch or already have safety measures in place, it is paramount to make data protection a priority. Adapting your cybersecurity to a data-centric model will depend on your current security model, but even with a data-centric model, you will still need a multi-layered approach to manage and protect against the barrage of breach attempts brought on by scammers.

If you are starting from scratch, you should identify what type of sensitive information you and your organization are in charge of safeguarding. Typically, if you collect and process credit card payments, you must follow PCI compliance, while if you gather and save patient data you must follow HIPAA compliance. In some cases, you may have to obey and follow both sets of standards. In these cases, you should understand the many differences and overlaps between the two. 

If you currently have a security model in place, it is crucial you review compliance standards to ensure you and your organization are up-to-date and in accordance with said guidelines. Your website and infrastructure should be PCI compliant, and this includes choosing to use programs and software that comes PCI-DSS certified that you run your operations with. 

If you are starting out fresh, the following are measures to build with. If you already have a security set-up, you will need to update previous measures and integrate new changes as your organization grows. 

To be data-centric, it is essential to understand where your data is being stored or where you will collect information. This could be on a hard-drive or within a cloud storage system. You will have to determine what storage system best aligns with your interests, needs, and the safety features you desire. In addition, you should know how to quickly find this information. Some teams choose to use tags, so they are able to rapidly search for items.

It is you and your IT team’s duty to decide what records team members are privy to, and you should be able to recognize said team members during record access. This is imperative because you and your team may be able to pinpoint areas of suspicion and block them. Additionally, people with right to use are a direct line to private data which means they are common targets for hackers. 

Anyone with entrance capabilities should be able to distinguish the many ways spammers attempt to breach security infrastructure. Furthermore, it is crucial to understand how they are accessing information because misconfigured devices and open networks are other common ways hackers sneak in through employee accounts. Be aware that not all threats are external, sometimes threats come internally from employees who seek to leak private materials for their own reasons. 

Cloud storage and tethering allows for fluid workflow between parties; however, mistakes do occur, and links may be sent to the wrong user via email. Luckily, tethering can be removed, and entry is revoked to these mistaken receivers. In some cases, IT personnel are able to manually approve or deny users without credentials when they try to enter the system.

Records also exist in transit. Sometimes, this information is intercepted while enroute to its destination. Encryption has become fundamental for data destinations and in passage. Sometimes encryption is built into websites and programs - some examples include HTTPS and email encryption, but this is not enough to thwart every scammer's assault on data. 

Virtual Private Networks (VPNs) provide added security to data as it moves from place to place by creating a private (encrypted) channel for it to journey through which makes it harder for traveling records to be detected. You should be aware that encryptions are not a fool-proof method as there are many factors that contribute to the safe-keeping of information. Not all VPNs are created equal, and some may even leak data which makes their use pointless. 

Other considerations

Unfortunately, breaches remain a viable outcome, and some cell carriers have even started to provide breach alerts to their clients because they are within the realm of possibility. If you discover a data breach, you should contact your IT department and follow their instructions. A security plan that is data-centric may be able to mitigate damages because it is clear where data is and who has access to it. Exposures may be able to be traced back to their origin point and at the very least, entry can be revoked. 

Another key component to consider is continuing education for yourself and members of your organization, and there are many ways to make safety training useful and effective. Changes in protection plans mean that criminals will also modify their efforts to obtain their goals. Working from home was exploited and still is, so be sure to learn and teach the many ways remote employees can work safely. 


Recall, data-centric security focuses on securing data rather than just where it is stored. This means information should be protected in storage, transit, and processing. Remaining in compliance allows you to build a robust defense from on-going cybercriminal assaults. Cybersecurity, even one that follows a data-centric model, is an ongoing process that must evolve as hackers adapt and apply new tactics. 

Spammer advancements may highlight security gaps, so be prepared because current security may not be enough to prevent a breach in the future. Lastly, be sure to create a system that suits you and your organization's needs and wants. A system that you and your team do not like and is hard to use or follow will not meet your security requirements.

Share this with others

Get price Free trial