While most organizations invest heavily in perimeter defences and infrastructure security, the most significant gaps in cybersecurity today often exist at the data layer. The assumption that data is inherently protected when systems are secured is no longer tenable, particularly in environments characterized by distributed collaboration, cloud adoption, and increasing data mobility.
This whitepaper, Addressing Gaps in Your Cyber Security, outlines a methodical approach for designing security controls around data itself, rather than the systems or containers that store it.
The Shift from Infrastructure-Centric to Data-Centric Security
Frameworks such as NIST provide structured guidance for cybersecurity planning, offering a high-level view of how to identify and respond to vulnerabilities. However, there is often a disconnect between the identification of data-related risks and the implementation of corresponding technical controls, especially when different teams are responsible for different layers of the architecture.
In many organizations, protections are implemented at the application or system level (e.g. access control lists, device trust models, identity-based authentication), but these controls typically do not persist with the data once it moves across systems or outside the perimeter. This creates a gap between business-level risk and the actual effectiveness of security controls applied in practice.
Introducing the Uniform Control Model
To close this gap, the paper introduces the Uniform Control Model, a framework for implementing data-centric security that enables:
- System-agnostic control design
- Clear alignment between data protection requirements and operational enforcement
- Improved auditability and centrally control visibility deployed cross-system
The model is developed through three foundational steps:
- Identify high-value, high-risk data sets that require protection
- Pinpoint data vulnerabilities across key lifecycle stages—creation, access, usage, and sharing
- Map each vulnerability to a defined Control Type, forming a structured, repeatable control framework that scales across applications and platforms
Use Case: Project Catalina
The paper uses a real-world scenario involving sensitive product design files shared across external partners to demonstrate how data-centric controls can be prioritized and applied. By identifying specific vulnerabilities such as uncontrolled file sharing or storage on unmanaged devices, the organization implements a focused control strategy that aligns with both risk posture and business need.
Benefits of a Data-Centric Design Approach
While the focus of the paper is on the early stages of security architecture design, the implications are broad, namely:
- Alignment between business value and protection level: Sensitive data receives the most stringent controls, irrespective of storage location or user device.
- Improved audit and compliance readiness: Clear mappings between data vulnerabilities and control implementations facilitate assessments and reporting.
- Scalability and reuse: Once established, the Uniform Control Model can be extended across data classes and systems, enabling consistent enterprise-wide policy enforcement.
Infrastructure-centric security can no longer keep pace with today’s data sharing and collaboration demands. The whitepaper provides a deeper examination of how a data-centric security model and the Uniform Control Model can help organizations address data vulnerabilities more effectively. It offers practical guidance and examples for designing consistent, system-agnostic controls that protect sensitive data wherever it resides.
For a complete framework and step-by-step methodology, refer to the full whitepaper:
To comment on this post
Login to NextLabs Community
NextLabs seeks to provide helpful resources and easy to digest information on data-centric security related topics. To discuss and share insights on this resource with peers in the data security field, join the NextLabs community.
Don't have a NextLabs ID? Create an account.