Yes, holistic data security should be a thing
Hardly a week goes by without news of a high-profile data breach. Sometimes, the damage is quite limited either due to the low market value of the apprehended data, the strength of the data security in place, or even the sloppiness of the threat actor. In other instances, though, especially when large enterprises who service thousands or millions of customers (think online retailers, or financial institutions, or insurance providers) are targeted, the fall-out is huge and often painful. These are the events that make all of us in the cyber-security space take a pause and wonder, with all the negative press around these situations, not to mention regulatory mandates, how could this happen in 2020?
What exacerbates the situation is the ongoing emphasis on the role of the cloud in enterprise IT strategies. We all know that cloud services and resources can make an enterprise’s IT services more efficient, more OpEx-oriented and CapEx-friendly, and more convenient for end-users across the business. No news flash there. Cloud services and applications are now part of many corporate data workflows, either to process information, store it, or serve as a pass-through. Sure, cloud services and especially SaaS application providers implement various forms of security, but often those measures are limited, perimeter- and user-focused (instead of data-focused), and address only a segment of the entire data workflow and lifecycle.
In reality, the real question we need to ask ourselves is this: why isn’t all sensitive and personal data that is processed and stored by these enterprises secured in the cloud end-to-end, and more importantly how do we fix that?
What the data shows
We should always be skeptical of gloomy scenarios and take a data-driven approach to analyze such scenarios, so the first step is to confirm whether the problem is really that prevalent.
If we look at some of the recent breach statistics from IDC Research this year (as recently as June 2020), 80% of companies around the world that are putting data in the cloud have experienced some form of data breach!
Of course, these attacks can affect all sorts of different cloud scenarios and lots of different types of data, not all of it highly personal and sensitive. For our purposes here, we should focus on customers’ personal data that gets pushed to the cloud; we’re talking about data which is often very sensitive information and in most jurisdictions is regulated insofar as how each organization processes and handles data either on-premise or in the cloud.
In addition, 80% of those struggling with these types of data breaches were also unable to manage and control sensitive data in the cloud themselves!
Clearly, this is a really big problem. And yet, we in the cyber-security space already have the solution; we know that end-to-end data security is a very powerful strategy and technique to reduce the exposure of data across its entire lifecycle, regardless of the particular operational workflow.
So why isn’t end-to-end data-centric security leveraged more extensively if we know that it is the right thing to do?
The same could be asked of seatbelt usage—they save lives, and extensive data over decades proves it. So why doesn’t every car driver and passenger use them? Good questions indeed.
So why isn’t end-to-end data-centric security a thing yet?
Let’s drill into this conundrum a bit further to see if we can figure out the explanation. In the enterprise, organizations use personal data across many different types of applications served up both on-premise and from the cloud (whether SaaS-, public-, or private-cloud based).
Consumer-facing businesses, in particular, will capture many types of personal data elements across the customer’s entire journey with the business. This customer data is usually highly sensitive, whether it be tax IDs, government-issued IDs (SSNs), banking information (account numbers), credit history information, and even insurance and health-related data. Theft of this type of information is catastrophic for companies. It’s the type of information, which is highly regulated in many jurisdictions by regulations such as GDPR, CCPA, LGPD, or HIPAA & HITECH, or by industry standards such as PCI DSS.
If such sweeping regulations and standards such as these encourage minimum standards of data-centric security, what is challenging enterprises so much that they would risk a data breach and all the possible negative ramifications, such as fines, sanctions, reputational damage, and lawsuits?
Why isn’t all this sensitive information protected end-to-end?
Even with advances in encryption and tokenization technologies that make them simpler and more efficient to implement, the problem revolves around how complex these projects generally are. If you have to open up your enterprise applications in order to reduce the risk of data exposure, but you have to make changes to each and every application in some way, and you also have to do that across your entire enterprise, then that’s a complex problem and complicated project to manage. If you have to make those kinds of changes, that’s also time-consuming for your in-house staff. All of this extra work and complexity might then limit agility in other areas of performance. So now, you’re putting resources onto non-revenue-generating activities simply to reduce risk. It becomes a trade-off.
Often, leadership has a really hard time justifying business investment in these types of technologies and projects. So then, the issue becomes how to do this more efficiently, how to really and truly make it a no-brainer to the business to implement data security that balances risk, data use, data access, and data security. How to make it all do-able? That’s the real challenge here.
Look, nobody wants a long project at the end of the day. The biggest thing to consider today is that agility is driving businesses to adopt new types of technologies, data workflows, and processes. Agility is key to business success in 2020, particularly in the context of a pandemic response in which the markets have changed so fast that we only have days to weeks to make appropriate implementations and changes. None of us can absorb and tolerate months to years to finish data security projects. This is the dilemma of traditional data security projects. They look appealing to management, and of course, some organizations can tolerate long durations, but most organizations just can’t sustain it. Therefore, they don’t.
Another question to ask is this: are your data security strategies and tactics really data-centric in focus? Many security technologies such as data-at-rest encryption methods only protect information as it is stored. In many data-breach situations, this strategy shockingly (at least to those who don’t live and breathe it) has had virtually no effect on preventing the breach and protecting the sensitive information under attack. If we just focus on data-at-rest protection, which is what is built into many cloud architectures and cloud applications today, that won’t necessarily protect anybody from a breach. Most certainly, it won’t achieve many of the regulatory compliance requirements for data privacy. And, that should be one of your biggest concerns, given the costs and reputational tarnish of non-compliance.
To make matters even more complex, you now have to deal with three different cloud scenarios.
You have SaaS applications in which quite a bit of personal data is being processed.
You have hybrid applications where ‘lifting and shifting’ data into platforms, which are outside the data center and under different control frameworks, all with very different control and security requirements, is the norm.
Lastly, you have cloud-native technologies, which are very agile techniques and services such as Kubernetes that allow you to orchestrate and build very high-scale applications in very short order.
This agility is massive for organizations that want to build new apps or really retool their digital transformation agenda. Unfortunately, these cloud-native technologies come with their own risks.
Now, let’s look at this from the CISO’s perspective, the office that answers for enterprise data security in the end.
The latest cloud technology stacks like Kubernetes and the agile frameworks that come with them allow organizations to build and manage container-based applications, pulling containers from all sorts of different places. Containers, though, can incorporate native storage or even older vulnerable applications. This is a really big concern. Of course, you need new tools to manage container security, but if you’re not protecting data end-to-end, you can end up with a really big and risky situation, because the scale, the churn, and the dynamic change in these environments is a new frontier to manage.
For a light-hearted analogy, what you have is a situation in which development teams are enthusiastically embracing and implementing these new approaches, reminiscent of scissors in the hands of kids who are running around as though they’re the coolest new toy, but in reality, they’re sharp and somewhat dangerous and can ultimately poke the CISO (and themselves) in the eye. Usually, somebody gets hurt!
So how to solve for that?
At the end of the day, DevOps can’t be the hydra that manages all of this by putting fingers in every pie. They simply can’t scale like that; obviously, we all need a new approach. At the end of the day, the business just wants to get on with it, and under the pandemic response, the latest cloud technologies and cloud stacks like Kubernetes and the wonderful ecosystems that they provide offer ground-breaking agility and innovation.
This agility has to be the heart and center of your digital transformation process, and everybody knows that fact. You want your development teams to be unleashed, you want them to go faster and produce more and better, and the CISO needs to be the function saying ‘yes’ to business growth, agility, and new adoption techniques, even if some new risk is involved. So being able to protect data consistently and quickly is going to be a huge boost in meeting your corporate and IT strategy all while delighting the business.
The solution is a three-step process
The answer to all this—and to implementing an end-to-end data-centric posture—is a three-stage process: intelligently discover sensitive data, operate data security infrastructure as code, and deploy as transparently as possible.
The good news is that numerous data-centric security platforms are on the market that can handle all three of these stages adequately. You need to know what to look for, though. Let’s look at some desirable traits.
These platforms need to combine intelligent discovery capabilities to locate exactly where data is, where it’s moved, where it is consumed, who uses it, what the identity relationships are.
You may think you have a grasp on all this, but you really probably don’t. What this allows you to do is get a very clear picture of your privacy risk, automate your privacy operations, and also find where the risks are and where you need to instrument for data security. After that, you can now instrument data security as a service back to the business as infrastructure as code.
This is a very modern approach building into the DevOps lifecycle so data security can be built-in and operated automatically from the start. And, with transparent integration options, no longer do you have to open up the applications to really make the changes without the albatross of prior technologies threatening to bog things down. You can do this at the click of your fingers really, and large enterprises have done this—even in complex legacy situations—in just weeks to months across entire estates that formally would have taken many years to complete.
Adopting this type of approach can go much, much faster (10-100x faster), reduce your risk across all personal and sensitive data that your enterprise possesses, and allow you to get into cloud migration strategies more rapidly while at the same time achieving compliance much more effectively.
Not just data security compliance for PCI DSS, but the new frontier of more sweeping privacy regulations such as CCPA, LGPD, and all the newer regulations that follow this path and that are based on GDPR or derivations of it.
As indicated earlier, if nothing else inspires you to take a closer look at the questions (and answers) posed here, it should be the fact that in many cases you have no choice. Regulations and industry standards compel you.
But take heart—the hardest part of solving a problem is understanding it, and hopefully, this quick study has helped you comprehend the situation a bit more.
Want to read more about cloud data protection?
Do you want to ask all the right questions when evaluating a data-centric protection solution?