Let's admit the "discover, classify, protect" paradigm is wrong — or, at the very least, flawed.
Overall, the discover, classify, protect approach sounds very reasonable: Find all your data, then figure out the level of importance of each piece of data, and then protect the essential data. Yet, many fatal flaws exist in this approach.
Discover, classify, protect can prove to be a bottomless pit of money and resources without fulfilling the DLP (data loss prevention) promise. Discovery could work when the scope of data location was finite. Users created data on the endpoint and stored it on the device or moved the data to a central storage location. Users transferred data from the same central location to view and edit on their endpoint.
However, the reality of today is different: Users can create new data anywhere, not only from any device but in new cloud services that appear daily.
Also, classification hasn't always proved effective. Public, internal and confidential labels typically don't work because classification requires users to participate in the security process.
The reality of today: Diligent users still make mistakes. A malicious user can take advantage and purposefully skirt security. Additionally, the importance of data changes over time. Financial numbers for the quarter are only sensitive until announced during the company earnings call. I've written about this previously, regarding why data classification shouldn't depend on users.
Protection also introduces issues. Common DLP protection relies on the discovery and classification steps and isn't zero trust. Zero trust would require authentication of the data constantly, but instead, DLP tools allow users complete access to the information on the endpoint.
The reality of today: Legacy DLP only tries to block or take action when users attempt to move data off of the endpoint. Data on the endpoint is not protected by default, and there are countless ways to move data off the endpoint and avoid DLP rules. DLP rules are very fragile and require constant upkeep. I've covered this issue in a previous article regarding data loss prevention and the endpoint security gap.
Organizations can't afford to follow the discover, classify, protect path anymore. Instead of throwing money and time into the discover, classify, protect pit, break the cycle with a zero-trust approach that focuses on data.
Here six ways to break the pattern and implement a zero-trust data security solution:
1. Protect data by default — no more decisions on what to protect. Start with the posture to secure all data.
2. Protection needs to be persistent. Never decrypt files to be viewed or edited.
3. Protection needs to follow data regardless of where the data goes, including moving data to cloud and SaaS applications.
4. Consider replacing traditional classification with automated protection based on context and content. Context includes devices, workflows, applications, URLs and storage locations. The content consists of the type of data such as PII (personally identifiable information), PHI (personal healthcare data), PCI (payment card industry data), derivatives to already secured data) or derivations of previously secured data.
5. Users shouldn't know security exists. If the user or business workflow is changing to meet security needs, you have the wrong approach or solution. If user behavior doesn't change, companies don't have to waste time and money to train employees.
6. Replace fragile and endless DLP rules with simple to maintain data egress policies. Legacy DLP rules are application-based. Admins spend the majority of their time creating or updating rules for new applications.
Malicious actors and the technology being used to attack companies are becoming more and more sophisticated. Implement a zero-trust approach to data and look for solutions that provide immediate value and whose ROI can be measured in weeks.
The reality of today: Don't settle on discover, classify, protect because that was the historical answer to data loss prevention, not the answer for today's pain points.