Applying a Data-Centric Strategy in a Vast IT Ecosystem
- With so many assets moving into the cloud and onto mobile devices, implementing a data-centric security strategy requires more controls built into software.
- Data-centric security effectively balances the costs of protection against the risk of damage, especially in a complex, ever-changing IT infrastructure with no clear boundaries.
“Nobody can block a hacker who really wants to hack you. The most important thing is that that attacker shouldn’t be able to gain access to business-critical assets.”
As one of the world’s largest financial services companies, Mitsubishi UFJ Financial Group (MUFG) operates in more than 50 countries and has a complex IT ecosystem that spans geographies, regulatory environments, and business drivers. In such an environment, Eric Bedell, MUFG’s chief information security officer, says that trying to secure every device, every application, and every cloud instance is extremely difficult. Instead, he focuses his security strategy on the data. “We classify all our information and locate our most important data centrally,” Bedell says. “Everything in that central location is classified. Removal of data from that vault is authorized based on data classification and where the data are going.” Bedell says that it doesn’t matter if the data is going to the cloud, a managed service, or a device: The move is authorized only based on the classification of the data and the person or process having the appropriate clearance.