Data Is the New Perimeter: Insights from NIST and Virtru on CyberWire

"If you think about the cloud, what is the perimeter?" 

Virtru's SVP of Engineering, Dana Morris, posits this question on the latest episode of CyberWire-X. "There really isn't a perimeter like there used to be 10 to 15 years ago, when everybody had firewalls and VPNS and they were basically connecting to a data center... As we move into the cloud and data has increasingly moved into SaaS applications and across different cloud solution providers, the perimeter has definitely changed dramatically."

Data is the new perimeter, and this was a central theme of the latest episode of the CyberWire-X podcast, What is Data-Centric Security, and Why Should Anyone Care? The episode features CyberWire Hosts Rick Howard and Dave Bittner in conversation with Bill Newhouse, Cybersecurity Engineer at National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE), and Dana Morris, SVP of Engineering at Virtru. 

Data Is the Thing to Protect: Data-Centric Security and Classification at NIST

The episode opens with a conversation between The CyberWire's Rick Howard and NIST's Bill Newhouse. Newhouse highlights why traditional, perimeter-centric approaches are no longer sufficient — simply because, with the expansion of cloud collaboration, SaaS applications, APIs, and other dynamic ways of sharing information, the perimeter itself is amorphous and ever-changing. That's why it's essential to turn your focus on the data itself — the true asset you're trying to protect.

"If you're moving data around for business processes, you're relying on data, you are a data company, data supports everything you do — it starts to sound like the thing to really worry about and protect," says Newhouse. He also references the U.S. Department of Defense (DoD) Zero Trust architecture and why data is a vital pillar. 

This focus on data is a driving force in the NCCoE's Data-Centric Security and Classification Consortium, which aims to create standards that will advance data-centric security at scale. Virtru is a participant in the consortium, along with NIST, Google, Adobe, and JPMorgan Chase & Co. Newhouse emphasizes that a crucial step to Zero Trust is an assessment of your data, organizing and tagging it appropriately, and determining how access should be granted on a data level. "One should organize one's data so that you can have it work for you, you can protect it, you can share it as you wish... and aim to have control of that process."

Data-Centric Security and Zero Trust

For the second half of the episode, CyberWire host Dave Bittner sits down with Virtru's Dana Morris to talk about how best to manage and protect data in motion. Morris shares the history of Virtru and the Trusted Data Format, an open specification recognized by the Office of the Director of National Intelligence (ODNI). ODNI, too, recognizes the importance of data-centric security: "A structured, verifiable representation of security metadata bound to the intelligence data is required in order for the enterprise to become inherently 'smarter' about the information flowing in and around it." 

Morris highlights why data-centric security and Zero Trust go hand in hand: "What we've seen recently, especially with the growth of Zero Trust, is this idea of really focusing on, what is that core asset that you really want to protect when you think about security? And that's the data. It's not the perimeter, it's not the network. All of the solutions you're deploying in the context of security are really about protecting the data. And so the concept here is about how to start doing more to protect the data object itself in addition to all the other ways you're protecting data already." 

"We've seen industry and government momentum in thinking about that problem space," Morris said. "[There used to be a] pretty well-defined perimeter that could be used to control what people could and couldn't access. I don't know that there's a move away from the perimeter as much as saying 'We need to do more than just think about a perimeter, because that perimeter has changed.' It's not that you would throw out any concept of trying to enforce things at the app or network boundary, but it's about adding onto those locks and essentially figuring out how you can put additional locks on the data itself."

Organize, Protect, and Control Your Data with Virtru

Virtru's technology empowers organizations to control and protect their data, without sacrificing the ability to share it. Whether it's client-side encryption tools for Google and Microsoft, or automated security for the data flowing through SaaS apps, Virtru gives you complete visibility into, and control over, the data that moves in and out of your organization. 

Want to see how Virtru can help strengthen your data-centric security posture? Start the conversation by reaching out to our team for a personalized demo.