Six Inconvenient Truths About Data-Centric Security (And What to Do About Them)