This paper will provide you with a perspective of the shortcomings with most data security strategies and solutions and outlines how you can address these challenges in order to be operationally resilient.
Companies spend billions of dollars annually to secure their infrastructure and data, yet data breaches routinely occur even when network security and user validation is in place. A single breach can cost millions of dollars to detect, respond, and recover. It can also affect the long-term viability of your business as securing personal data becomes an important, global issue. In fact, in a recent global survey, 85% of consumers said they wish there were more companies they could trust with their data.1
Encryption has proven to be the most effective way to lower the impact of a security breach, but traditional encryption helps only when data is at rest (disk encryption) or in transit via secure communication methods such as SSL and TLS. That leaves companies with significant vulnerabilities when the data is in use by on-premise or cloud applications. Plus as companies rely more heavily on cloud environments, including Software as a Service (SaaS) and Infrastructure as a Service (IaaS) products, they face even greater risks by giving control of the data to those cloud providers who may or may not encrypt data securely, and even if they do, the cloud provider has access to the data and the encryption keys.
Today, a new approach is needed, as provided by the Sotero data platform2, which can secure all your sensitive data, regardless of source, location (on-premise, cloud, or hybrid) and lifecycle stage (at rest, in transit, or in use). Organisations like yours should be able to seamlessly adopt, deploy and use this technology to addresses these challenges, thus enabling them to operate smoothly and securely, with the confidence to use, share and monetise data.
‘Sensitive data is put at risk by traditional encryption, cloud migrations, and endpoints’
Data is the life blood of all organisations. It is used to improve critical business metrics in all industries, including the sales results, customer satisfaction, efficiency of manufacturing processes and the quality of healthcare. It’s safe to say that every enterprise has sensitive data, such as customer data, personally identifiable information (PII), employee data, financial information, or transaction information. Today, securing that information is not simply a good business practice, it is increasingly a mandate by government bodies and regulators such as the General Data Protection Regulation (GDPR), or as an industry standard, such as Payment Card Industry – Data Security Standards (PCI-DSS).
Clearly, securing data is not easy. In the past, it was easier because there were fewer applications and data was often siloed and therefore more easily secured. Today, however, data is ubiquitous and at the core of every business – healthcare, financial services, software, pharmaceuticals, retail, and education. The competitive differentiation of companies, collaboration with partners, and customer trust depends on their ability to use, share, and monetise data securely. They use an increasing array of specialized software, systems, and access devices/endpoints (e.g. mobile phones and IoT devices) to unlock the value of their data and make their business operate efficiently. Data flows more freely in this environment, both inside and outside the company, and is typically stored in many places, including on-premise databases and applications, SaaS applications hosted in the public cloud, and IaaS systems. This all equates to more attack points, higher complexity and vulnerability, and higher risk for organisations.
1. Encryption doesn’t protect data in use – Companies that encrypt their sensitive data often conclude their data is completely protected, but that is incorrect. Traditional encryption, consists only of:
a) Disk encryption, which protects data only when it is at rest on the disk, and
b) Encrypted communication links, such as those powered by SSL and TSL encryption, which encrypt data only when it is in transit from one system to another.
While valuable, this encryption does not cover one of the major vulnerabilities that companies face today – an attacker obtaining unauthorized, direct access to the database. Access can be gained by several methods, including phishing attacks, misconfigured databases, or custom software programs that impersonate valid applications requesting data. Once a system is breached in this way, the attacker can write queries to access and/or steal all the underlying data. The database operating system will fetch the data from the disk, unencrypt the data and send query results back to the attacker in plain text.
Also, Disk encryption does not prevent unauthorised access from those that are charged with administering the database, whether those people are employees or third-party consultants. For example, encrypted data on the disk does not prevent a database administrator from querying the database to get unencrypted data and, thereby, reviewing or stealing data they do not need to access.
As database products have matured, they have begun to offer ways to better protect unauthorised access to data, such as Always Encrypted for Microsoft SQL Server and Transparent Data Encryption for Oracle. However, even if such native tools were available for every SaaS application, IaaS product and on-premise application or database, using disparate native solutions and replicating those solutions in each instance would make it unmanageable and risky for most companies.
2. Cloud applications and infrastructure often put your data at risk – As companies shift more of their sensitive data to the cloud, they introduce more potential cracks in their security. Specifically, SaaS applications and IaaS that reside in a public cloud introduce the following vulnerabilities:
a) Cloud providers require their customers to provide their own cybersecurity and they do not enforce it, which leaves cloud applications less protected unless the organisation has a highly sophisticated security management program.3
b) Data in the cloud is accessible to the database administrators of the cloud applications or infrastructure via direct access to the database.
c) If data in the cloud is encrypted by the cloud or application provider, the provider still holds the encryption keys and can access the data in the database.
3. Endpoints such as mobile applications, point of sale systems, and IoT devices may not be secure. Attacks often start at endpoints, such as workstations or printers, which are often left unsecured, and then proceed to backend servers that hold sensitive data.
A recent survey of security professionals indicated that employee-owned mobile phones, laptops and IoT devices/sensors are susceptible to attack and are the least likely to be covered by security management programs. In the same survey 28% of survey respondents confirmed that attackers had accessed endpoints.4 Lack of control at endpoints enables attackers to access sensitive data even if it is encrypted.
4. Anomaly detection tools don’t prevent unauthorised access – They have two limitations. First, they are usually deployed at the firewall or network level, not the data access level.
This prevents them from detecting data requests that are benign at the access level but still malicious at the data level. Second, log file and user behaviour analysis tools, such as Splunk, do not operate in real-time. They can help organisations discover hacking/intrusion and unauthorised access as part of a forensic investigation, but they do not enable a company to interrupt and prevent unauthorised access in real-time.
‘Leave no data unsecured throughout the entire data life cycle’
This approach to security benefits any company that collects, uses, and shares sensitive data, including PII data.
By providing greater encryption capabilities, granular user/role driven access controls and real-time anomaly detection, Data Protection Platforms such as Sotero’s redefine how security and product teams view their data. The unique focus on increasing security of the data itself, including capabilities to protect data in use and data in cloud environments, is enabling businesses to operate more securely and with less risk when a breach inevitably occurs. Organisations need the confidence to use their data to the fullest, earn the trust of customers, and differentiate from their competitors.
1) PwC Consumer Intelligence Series, Trusted Tech survey 2020
2) Sotero Data Protection Platform at www.soterosoft.com
3) Identify Theft Resource Center, 2019 End-of-Year Data Breach Report
4) 2019 SANS Survey on Next-Generation Endpoint Risks and Protections