Data has traditionally been seen as the passive result of transactional systems, to be surrounded, protected, and secured in systems that take an active part in the overall security perimeter of an enterprise. As that perimeter decomposes and becomes more fluid (e.g., cloud, mobile, IoT), data must be elevated so that each data object can participate in the security portfolio. Some of the characteristics of data as an endpoint include:
1. Data decides access rights.
A data object (whether in flight or at rest) can initiate a secure conversation with someone seeking to interact with that object rather than authenticated access to an application or transaction translating to data access.
2. Data is independent.
This secure conversation must be held independent of an application or piece of infrastructure as data can migrate across infrastructure and be accessed by one or more applications. Regardless of how often it is copied, duplicated, or moved, data retains the rules around who can use it. Therefore, if an attacker were to copy the data from a customer database and try to access it on an unknown network (from the owner’s standpoint), that data would be useless to the attacker.
3. Data understands itself.
The data object must be self-describing and understand its own schema, so it can advertise how applications can interact with it, most likely through a series of APIs that are inherently based on authenticated use.
4. Data appreciates its value.
The data object can inherit a series of rules, governing when, where, how, and why it might be accessed. Given, viewing customer information on the corporate network might be allowed but viewing that same data on public WiFi may be forbidden.