Data-Centric Security

Introduction

Welcome to part three of Fluree’s Data-Centric Architecture series, where we peel back each layer of Fluree’s data-centric architecture stack.

Our first installment, “Data-Centric Trust,” describes the ways in which data provenance, lineage, and integrity are central to a healthy data ecosystem. Our second installment, “Semantic Data Interoperability,” covers how formatting data under a common vocabulary can help technologies exchange information with meaning. 

Together, these concepts of “trust” and “interoperability” open the door to a new era of data collaboration, defined by dynamic data ecosystems, where data is published, accessed, and collaborated on by a wide variety of stakeholders. 

However, as more stakeholders enter these data ecosystems, we’ll need to enforce various permissions and rules related to identity and access. In other words, as we broaden the audiences that are accessing data or transacting against data sets, we must rethink how and where we implement security. 

This is where Fluree’s next “layer” is required: data-centric security.

What is Data-Centric Security?

The Data-Centric philosophy involves moving data management responsibilities from the application tier to the data tier -- and security is no exception. With data-centric security, permissions related to data are baked in to the architecture as a core ingredient:

Data-centric security is an approach to information cybersecurity that emphasizes the security of data itself rather than the security of applications or networks. In a data-centric security framework, security policies and protocols are defined and enforced at the data layer, rather than deferred to a server, application, or network. 

There are three key objectives to data-centric security: Manage, Track, and Protect.

Manage - Define policies that determine who and how data can be accessed, contributed, or used

Track - Monitor data’s supply chain as it moves through systems and users

Protect - Enforce identity and access management protocols

In Fluree, these security objectives are defined, codified, stored, and executed as data in the database in the form of SmartFunctions

Why is data-centric security needed today?

More data silos = more attack surfaces: Data today is used and reused across multiple contexts, shared via webs of APIs, and duplicated into data silos for analytics. At every stage of reuse we introduce a new potential attack surface that must be monitored. Attackers know this - according to Akamai’s 2020 State of Internet Security report, 75% of total cyberattacks in the financial services industry were targeted on APIs. Re-implementing data security in every middleware, data lake, and API along this digital supply chain is simply not scalable. 

Once you’re in, you’ve got root access: As exemplified by many of the data breaches in recent news, information security in an application-centric architecture is only as good as its endpoint security. The more attacks grow in complexity, the deeper security measures get pushed into online infrastructure. Yet data, the ultimate reward at the core of every hack, often remains unprotected.

Cloud computing, SaaS, and the era of remote devices: Thanks to the advent of cloud computing, enterprise data is now published to the cloud and accessed by many users across many devices across many networks (especially in today’s work-from-home era). The proliferation of bring-your-own personal devices and wifi networks is just one example of our inability to control how our information is being accessed and passed through systems.

The data supply chain is becoming complex and regulated: Data has been called the new “oil” - whether this is an accurate or poor analogy, we can all ascertain its ubiquity and importance in our global economy. And when something becomes ubiquitous, it is followed by regulation:

• Motor Vehicles were followed by Motor Vehicle Laws and the DMV 
• Mass-produced food products led to nutritional labels and the FDA
• The airline industry was met with FAA policies

The first wave of data regulation has already taken place in the form of GDPR, CCPA, and the like. At the same time, data has evolved to become somewhat of an asset that can be passed around, exchanged, and even brokered. In other words, data now has a supply chain with various stakeholders. Add these emerging compliance pressures to this already complex supply chain mix, and now you’ve got quite the set of security demands to manage.

While there is certainly still merit to securing endpoints and tightening up network security, the above trends demonstrate a clear need to bring data-centric security into the overall enterprise strategy. 

Data-Centric Security, Applied

In a data-centric security context, information will remain protected as it moves in and out of storage systems or applications as well as changing business contexts, regardless of the network or application security. We call this “data defending itself.” Security is baked in, and thus inseparable from the data it protects. 

As you might imagine, data-centric security can simplify and automate data governance and security for data sets. By baking security directly into the data tier, we find many benefits, among them: