The Evolution of Enterprise Data Security

By Mario Espinoza, Vice President of SaaS Security & Data Protection at Palo Alto Networks

Enterprise data security has always been about protecting sensitive data and ensuring that it doesn’t fall into the hands of unauthorized people. It’s there to prevent the leaks that could result from an outside attack, a misconfiguration or even an insider. When all data was housed within an enterprise data center, IT security staff had a centralized location to protect what was finite and more predictable. However, the world has moved on from an era when data resided only on user devices and within the walls of an enterprise data center.

As data has become increasingly untethered from the physical devices and locations controlled by an enterprise, it’s not surprising that enterprise data security is being forced to undergo significant shifts.

Where is enterprise data now?

Today enterprise data spans multiple locations, including end-user devices, on-premises data centers and multiple clouds. Many users are not using desktop-based applications anymore either. For every word typed on a screen, the only thing we can be sure is happening on the end-user computer are the keystrokes, with all data potentially residing in the cloud. So, for the most part, data is no longer a static thing existing in well-defined locations controlled by an enterprise. Instead, data is often in motion across multiple environments and different geographies. Today, data can literally be anywhere and everywhere, so the job of securing it has gotten increasingly complex.

Encryption alone doesn’t answer today’s threats

In the past, most organizations thought that the majority of data loss was the result of hackers and malicious third parties, so they would encrypt the data, assuming this would eliminate the risk. Unfortunately, what has become obvious in the modern era is that a significant portion of data leakage in an organization occurs not because of an external source but due to insiders. Encryption doesn’t protect you in that case because the insider has access to all the data, even if it is encrypted. Encryption protects you from a third party; it doesn’t protect you from the people who work in your organization or have access to the data.

Knowing Which Data Is Important to Secure 

An issue that has long existed for enterprise data security is the challenge of identifying which data is important and needs to be protected. Historically, companies addressed that problem by creating rules for certain formats of data and files. Over time, the rules could be tweaked, and organizations would create their own categories to define what information is important. But the manual approach doesn’t scale for the modern era when data is constantly being created and shared in myriad locations. Identifying sensitive data can now be done with better accuracy, speed and scale than ever before, thanks to machine-learning (ML) technology. ML enables the creation of automatic classification for important data. Also, classification itself is no longer about manually created categories for data protection but rather has evolved to be about content-aware inspection. With content-aware inspection, instead of labeling content based on its source or some externally facing attribute, like a file name, the data protection technology will look inside the file to determine what it contains. The analysis of content is powered by a machine-learning model that will determine if there is sensitive data in the content that needs to be protected. While manual data classification can still be useful, with a content-aware inspection, organizations can benefit from a more automated, accurate and scalable approach. 

Today’s Enterprise Data Security Takes DLP and SASE 

A central component of enterprise data security technology, data loss prevention (DLP), has also evolved over the years. Modern DLP should be integrated into the secure access service edge (SASE) architecture to strengthen enterprise security.

Why Is SASE Needed? 

With data being everywhere and users connecting from any place, SASE provides a security layer to protect organizations, users and their data. SASE connects access to networks in the cloud with security services, enabling users to connect anywhere, at any time, with enterprise security protection. SASE protection includes threat prevention, cloud access security broker (CASB) capabilities and data protection. SASE also intersects with SD-WAN and the concept of Zero Trust Network Access (ZTNA). As such, data loss prevention is part of a larger suite of services that protects user interactions everywhere.

More steps to improve enterprise data security

There are several actions that security leaders should take to help improve enterprise data security.

Take it to the top. In a digital era, data security must be a top concern for every organization. Data security and privacy should be discussed at the executive and board levels. In the event that this topic is not already on the agenda, it should be.

Follow a multistakeholder approach. To be successful, data security requires a multistakeholder effort. Having a data protection strategy and some form of a steering committee with different members from across the organization is a solid best practice. The committee can be where goals are discussed, and an approach to data security is determined with input from across the business.

Use modern tools. Data protection technologies created and deployed a decade ago simply can’t keep up with the enterprise data reality of today. Organizations need to rethink data protection and take advantage of modern approaches with the latest tools. It is incumbent upon IT leaders to replace legacy on-premises systems with the next generation. Data protection solutions that use the cloud and rely on AI and machine learning to protect and classify important data automatically should be the focus now. The viability of nearly every business relies on data. No company in this day and age can be viable in the medium and long term if they don’t protect sensitive data and don’t align with privacy trends. And thankfully, there are now effective ways to do it.

Join us here to learn more.

About Mario Espinoza:

Mario is Vice President of SaaS Security & Data Protection at Palo Alto Networks. He is responsible for overseeing product strategy and roadmap for solutions that protect sensitive data and SaaS applications. Prior to Palo Alto Networks, Mario was Vice President of Information Protection at Symantec where he held leadership roles in data loss prevention, encryption, data classification, IAM and UEBA. He holds an MBA degree from the Haas School of Business at the University of California, Berkeley.