A 360 Perspective on Data Security for Operational Resilience
Why you should read this paper
This paper will provide you with a perspective of the shortcomings with most data security strategies and solutions and outlines how you can address these challenges in order to be operationally resilient.
Companies spend billions of dollars annually to secure their infrastructure and data, yet data breaches routinely occur even when network security and user validation is in place. A single breach can cost millions of dollars to detect, respond, and recover. It can also affect the long-term viability of your business as securing personal data becomes an important, global issue. In fact, in a recent global survey, 85% of consumers said they wish there were more companies they could trust with their data.1
Encryption has proven to be the most effective way to lower the impact of a security breach, but traditional encryption helps only when data is at rest (disk encryption) or in transit via secure communication methods such as SSL and TLS. That leaves companies with significant vulnerabilities when the data is in use by on-premise or cloud applications. Plus as companies rely more heavily on cloud environments, including Software as a Service (SaaS) and Infrastructure as a Service (IaaS) products, they face even greater risks by giving control of the data to those cloud providers who may or may not encrypt data securely, and even if they do, the cloud provider has access to the data and the encryption keys.
Today, a new approach is needed, as provided by the Sotero data platform2, which can secure all your sensitive data, regardless of source, location (on-premise, cloud, or hybrid) and lifecycle stage (at rest, in transit, or in use). Organisations like yours should be able to seamlessly adopt, deploy and use this technology to addresses these challenges, thus enabling them to operate smoothly and securely, with the confidence to use, share and monetize data.
‘Sensitive data is put at risk by traditional encryption, cloud migrations, and endpoints’
Data is the life blood of all organisations. It is used to improve critical business metrics in all industries, including the sales results, customer satisfaction, efficiency of manufacturing processes and the quality of healthcare. It’s safe to say that every enterprise has sensitive data, such as customer data, personally identifiable information (PII), employee data, financial information, or transaction information. Today, securing that information is not simply a good business practice, it is increasingly a mandate by government bodies and regulators such as the General Data Protection Regulation (GDPR), or as an industry standard, such as Payment Card Industry – Data Security Standards (PCI-DSS).
Clearly, securing data is not easy. In the past, it was easier because there were fewer applications and data was often siloed and therefore more easily secured. Today, however, data is ubiquitous and at the core of every business – healthcare, financial services, software, pharmaceuticals, retail, and education. The competitive differentiation of companies, collaboration with partners, and customer trust depends on their ability to use, share, and monetize data securely. They use an increasing array of specialized software, systems, and access devices/endpoints (e.g. mobile phones and IoT devices) to unlock the value of their data and make their business operate efficiently. Data flows more freely in this environment, both inside and outside the company, and is typically stored in many places, including on-premise databases and applications, SaaS applications hosted in the public cloud, and IaaS systems. This all equates to more attack points, higher complexity and vulnerability, and higher risk for organisations.
What must a solution achieve today
Technology solutions must address four major areas of vulnerability that are underlying factors in data breaches today. These are:
1. Encryption doesn’t protect data in use – Companies that encrypt their sensitive data often conclude their data is completely protected, but that is incorrect. Traditional encryption, consists only of:
a) Disk encryption, which protects data only when it is at rest on the disk, and
b) Encrypted communication links, such as those powered by SSL and TSL encryption, which encrypt data only when it is in transit from one system to another.
While valuable, this encryption does not cover one of the major vulnerabilities that companies face today – an attacker obtaining unauthorized, direct access to the database. Access can be gained by several methods, including phishing attacks, misconfigured databases, or custom software programs that impersonate valid applications requesting data. Once a system is breached in this way, the attacker can write queries to access and/or steal all the underlying data. The database operating system will fetch the data from the disk, unencrypt the data and send query results back to the attacker in plain text.
Also, Disk encryption does not prevent unauthorized access from those that are charged with administering the database, whether those people are employees or third-party consultants. For example, encrypted data on the disk does not prevent a database administrator from querying the database to get unencrypted data and, thereby, reviewing or stealing data they do not need to access.
As database products have matured, they have begun to offer ways to better protect unauthorized access to data, such as Always Encrypted for Microsoft SQL Server and Transparent Data Encryption for Oracle. However, even if such native tools were available for every SaaS application, IaaS product and on-premise application or database, using disparate native solutions and replicating those solutions in each instance would make it unmanageable and risky for most companies.
2. Cloud applications and infrastructure often put your data at risk – As companies shift more of their sensitive data to the cloud, they introduce more potential cracks in their security. Specifically, SaaS applications and IaaS that reside in a public cloud introduce the following vulnerabilities:
a) Cloud providers require their customers to provide their own cybersecurity and they do not enforce it, which leaves cloud applications less protected unless the organization has a highly sophisticated security management program.3
b) Data in the cloud is accessible to the database administrators of the cloud applications or infrastructure via direct access to the database.
c) If data in the cloud is encrypted by the cloud or application provider, the provider still holds the encryption keys and can access the data in the database.
3. Endpoints such as mobile applications, point of sale systems, and IoT devices may not be secure. Attacks often start at endpoints, such as workstations or printers, which are often left unsecured, and then proceed to backend servers that hold sensitive data. A recent survey of security professionals indicated that employee-owned mobile phones, laptops and IoT devices/sensors are susceptible to attack and are the least likely to be covered by security management programs. In the same survey 28% of survey respondents confirmed that attackers had accessed endpoints.4 Lack of control at endpoints enables attackers to access sensitive data even if it is encrypted.
4. Anomaly detection tools don’t prevent unauthorized access – They have two limitations. First, they are usually deployed at the firewall or network level, not the data access level. This prevents them from detecting data requests that are benign at the access level but still malicious at the data level. Second, log file and user behaviour analysis tools, such as Splunk, do not operate in real-time. They can help organizations discover hacking/intrusion and unauthorized access as part of a forensic investigation, but they do not enable a company to interrupt and prevent unauthorized access in real-time.
Considerations for a technology solution
‘Leave no data unsecured throughout the entire data life cycle’
To address these challenges a new, holistic approach to data protection by securing the data itself, not just the application, database, or network in which it resides, needs to be taken. This has the following unique advantages over more traditional security approaches:
- Centralized governance. This allows you to manage data security for all your data stores from a single platform and using a single method. It simplifies and improves the success of a security management program.
- All sensitive data is encrypted. Sensitive data, including all data fields in all applications need to be secured with encryption which adheres to standards such as AES-256. This includes heterogeneous applications, such as ODBC, RDBMS, and JDBC databases, and applications deployed on your premises, in a private cloud, or in a public cloud.
- Data is encrypted throughout the entire data life cycle (at rest, in transit, and in use). Because data in use must remain encrypted, even when a system breach occurs thus ensuring data loss is prevented.
- Access to unencrypted data is controlled. Role-based access controls allow you to control which users can see which data and specify data access at a granular (field) level. This protects data from unauthorized access even from database administrators at your company or at your cloud provider who have direct access to the system, but do not need to view the underlying data.
- Real-time anomaly detection and response. Not only should you encrypt your underlying data, you should also have the capability to analyse data requests in real time and stop and suspicious requests.
- Complement existing security systems. Data protection platforms must also work alongside your existing security information and event management (SIEM) systems, enhancing them with additional protections to reduce breaches and data loss.
Advantages to taking this approach
A multi-layered approach to data security, such as that taken by Sotero empowers organizations to safely use, share, and monetize data. The approach taken enables the following advantages for organizations compared with more traditional security approaches:
- Data in use is encrypted – this closes a major security gap where attackers gain direct access to a data store and steal your data. Sensitive data accessed in this way would now be encrypted through the entire life cycle – at rest, in transit, and in use.
- Cloud data is encrypted and controlled – Data stored in cloud-based SaaS applications or IaaS can be encrypted and access to the data is controlled by you.
- Restricted data access for DBAs – User privileges can prevent internal and external DBAs, including cloud administrators, from viewing unencrypted data. DBAs directly accessing the data store will see encrypted data.
- Secure business collaboration – Data shared with business partners, collaborators, and other enterprises, can be encrypted and access rights limited to people with whom you want to share data
- Simplified and scalable security management – Data in all your on-premise and cloud applications and data stores can be secured. This gives you a single protection method and a centralized management platform, eliminating the need to deploy multiple native security products and allowing you to scale your security management program.
- Instant detection and reaction to threats – Even with encryption and controlled access, threats can come from internal actors or from attackers that gain access to system passwords. Analysing user behaviour and responding in real-time to stop suspicious behaviour is key.
- Improved data governance – Every query logged, allows you to understand and better control your data usage.
- Adherence to data privacy and security regulations – The encryption and user access controls help you to protect sensitive information, including PII, in accordance with regulations such as GDPR, HIPAA, CCPA, and PCI-DDS.
This approach to security benefits any company that collects, uses, and shares sensitive data, including PII data. By securing sensitive data, businesses can operate with confidence, reduce the strain on the company’s security team, and reduce the financial and brand risk of data breaches. This includes companies such as:
- Companies that house data in the cloud for broader use and analysis. Examples: online retailers, online banks, and online stock trading platforms.
- Service providers / software providers who want to better secure their data as well as use that superior security as a selling point for customers. Examples: SaaS providers, cloud infrastructure providers, and outsourced HR service providers.
- Companies that need to comply with international data regulations while keeping data storage more streamlined. Examples: multinational financial services companies and online retailers with international customers.
- Companies that share data or collaborate with suppliers and other business partners. Examples: contract research organizations in the pharmaceutical industry and manufacturers with international suppliers.
By providing greater encryption capabilities, granular user/role driven access controls and real-time anomaly detection, Data Protection Platforms such as Sotero’s redefine how security and product teams view their data. The unique focus on increasing security of the data itself, including capabilities to protect data in use and data in cloud environments, is enabling businesses to operate more securely and with less risk when a breach inevitably occurs. Organisations need the confidence to use their data to the fullest, earn the trust of customers, and differentiate from their competitors.
1 PwC Consumer Intelligence Series, Trusted Tech survey 2020
2 Sotero Data Protection Platform at www.soterosoft.com
3 Identify Theft Resource Center, 2019 End-of-Year Data Breach Report
4 2019 SANS Survey on Next-Generation Endpoint Risks and Protections