Layering Security is easy, effective and affordable so there is no excuse for a data breach

There was a day and age not so long ago that I might have a little compassion for a data breach, but there is ABSOLUTELY no longer any excuse for these sorts of things to happen. From a technological perspective there is no reason why organizations of all sizes can’t easily implement a highly-effective, yet also affordable cyber Layer Security and Bring Your Own Security (BYOS) strategy. Below I will illustrate these layers of security with specific examples of how modern technology could possibly have greatly reduced data security risk or eliminated a data security breach altogether.

Complications of data security becomes Easier: The compassion I once had for an unintentional oversight for a data security comes from personal past experience as a network administrator when managing IT security was overwhelming complicated. IT Security was, and still is, complicated because there are so many areas of potential exposure in today’s always-on, internet-connected, reality. It’s not easy to stay informed on the rapidly evolving security technologies available these days and I can appreciate this daunting challenge.

No longer should it be so complicated to implement a solid cyber security strategy with simple dashboards where administrators can easily establish, manage and control their entire multi-cloud environment, including on-premise storage, through one simple interface. The challenge of learning each individual cloud ecosystems terminology, back-end configuration as well managing user access can be delivered in a simple to understand Management Console dashboard. So ‘complicated technology’ is eliminated as any excuse for a data breach.

Laying security provides an Effective defense: Historically, there always have been silos of outstanding security products where organizations can build various layers of cyber security but these proved to be challenging for several reasons. This layering involved using different vendors which meant different business contracts with each, or it meant that each vendor was at a different phase of their product life-cycles or the interoperability between the systems wasn’t smooth or flaky at best.

However, using modern and innovative security solutions that are tightly integrated with many layers of security methods — bordering on the verge of ‘paranoid’ levels — makes it much easier for network administrators to address many of these areas of data exposure risks. Nowadays implementing a fully integrated, end-to-end IoT security layered platform from device to storage literally takes only minutes. This Security-as-a-Service technology leaves all the magic of these secure layers to the back-end system automation where the administrators or users themselves never have to get involved. This highest level of security paranoia just simply happens without worry so providing a fully layered security stack of technology. No longer is there any excuse for a data breach because these layers do not consist of many disconnected parts; it’s simply one secure IoT platform.

Enterprise Security commoditized and now Affordable for everyone: ‘The Cloud’ has, unquestionably, delivered on the great promise of bringing technology and services which were once only affordable to large enterprise customers and now to organizations of all sizes. This is a shared cost of the cloud economy business model. For example, Salesforce delivers enterprise level CRM services, Amazon delivers enterprise Web Services (AWS) infrastructure and Google provides enterprise class business applications, all at great scale and with the highest levels of reliability. The common denominator where these companies can offer such enterprise services at such affordable costs is that ‘the cloud’ allows everyone to share in the costs, yet also share in the benefits. The same concept of offering enterprise grade salesforce automation, infrastructure services and business applications can now be applied to an Enterprise Data Security strategy which is affordable for everyone. For this reason, that traditionally enterprise class security was only available to organizations with large spending budgets is absolutely not an excuse for a data breach.

Now that we’ve taken a look at three factors which eliminate any excuse for a potential data breach, let’s take a look at each layer in a bit more detail and cite a recent example.

  • Bring your Own, always-on, data Encryption

Data breaches are not always the result of some nefarious black-hat hacker trying to steal your most sensitive corporate data. Sometimes honest mistakes happen such as is the case where the Pentagon exposed some of its data on Amazon server(1). This is an example where the complications of a Data Security implementation were overlooked or ignored. In this particular case anyone that had an Amazon Web Services account had access to the data stored because of a misconfiguration. It’s not that the technology wouldn’t have worked but there are just simply too many honest ways to misconfigure security settings.

This would not have happened if the Pentagon had implemented encryption security that wasn’t tied exclusively with Amazon’s Web Service user accounts and brought their own data encryption technology while still using the exact same Amazon S3 storage system they are currently utilize so no change in workflow. They could just have automatically enforced an encrypted secure strategy with technology that is not optional, it’s always-on as a default and cannot be misconfigured.

  • Virtual, non-Physical, Key Encryption System

Another example of most likely an honest mistake is where Uber Got Hacked Because It Left Its Security Key Out In Public(2) and the consequences are wide ranging where now Uber Is Already Getting Sued Over Its Gigantic Data Breach.(3) In this particular situation the traditional approach of using password security ‘keys’ led directly to a ransom demand, and consequent payment, to a nefarious hacker. Using traditional security key management methodology, password ‘keys’ are similar to a username/password combination or a physical software ‘key’ file that locks (encrypts) and unlocks (decrypts) files or your car door. The risk is that with a physical asset and storing ‘keys’ in this manner, there exists the possibility of exposure no matter how safe an organization attempts to store these keys. It’s like if you left the keys to your front door on the front porch of your home.

With a modern, cloud-first, approach there would be no physical key to compromise, and thus further reduce risk data breach exposure. While keys are still necessary to encrypt and decrypt files, the idea of physical keys should be a thing of the past. Ideally the keys should be only temporary used in memory and then instantly destroyed when not needed. This is the best approach available and can be achieved when people seriously consider new types of innovation instead of the standard ‘herd mentality’ by just continuing to do things as they’ve always been done. The golden rule should be that you can’t break what’s not there.

  • Biometrics Multi-Factor Authentication

Other times the technology itself exposes risks as was the case with Western Digital (WD) where it was suggested from SEC Consult Vulnerability Lab as a Top tip: Unplug your WD My Cloud boxen – now(4). Western Digital provides network-attached storage (NAS) solutions and an easy way to use these WD devices is through a web interface. In this particular breach it was verified that there is a known vulnerability where hackers can bypass username/password authentication and get direct access to the root file system and all the data stored on these NAS devices.

Nowadays nearly all mobile phones and even computers have cameras and microphones. Facial and Voice Recognition are becoming more mainstream with the likes of Amazon Alexa, Google Voice and Microsoft Cortana and technology exists where users can easily register their face and/or voice as another form of user authentication. In this case, a second form of authentication, instead of just only username/password authentication, such as Face or Voice would have prevented unauthorized access to the data on these devices. Also, while passwords might be easily guessed if not using a strong password, face and voice is much harder to duplicate. Today’s modern technology can allow a user to register their Face or Voice in just a few minutes and further reduce the risk of a potential data breach with this multi-factor authentication approach to an overall cyber security strategy.

  • Strip files of their digital identity and store in a manner safe even when stolen

Lastly, when all else fails, such as where Oxford and Cambridge Club data breach: 5,000 members’ data compromised after backup hard drive stolen(5) then you have to be assured that these nefarious hackers can’t understand your data even when they are in physical possession of the content. Just assume an absolute worst-case scenario where (a) multi-factor authentication was circumvented, (b) unauthorized data decryption was achieved with brute force and (c) the hacker was in physical possession of your content where you can’t erase or take any counter-measures. In this case you certainly don’t want your files to appear as recognizable files such as a PDF medical record, a legal agreement document or a financial spreadsheet.

So how can you achieve this? Using innovative security technology, you would strip these PDF, DOCX or XLXS files of their digital identity, meaning absolutely no metadata about the objects themselves is available to the hacker. No obvious file extensions such as ‘.pdf’ are ever exposed. Then filenames themselves are cleansed of their real name such as ‘credit card numbers.xls’ and each object is split into completely random folders/sub-folders and files which render these items completely unusable to the hackers. In fact, to ensure a security level past the paranoid level a single object can be striped across multiple backend storage systems to provide a true hybrid storage solution.

In summary, I hope that you can appreciate that implementing an innovative, modern, cloud-first, Bring Your Own Security (BYOS) data security strategy provides no excuse for breaches. In a perfect world a combination of all the above layers of security which fits seamlessly into existing user workflows, that is easy to implement from a technical perspective and is affordable to everyone is cyber security euphoria.

I would not want to be the next person or organization that has to deal with one of these security breaches when the technology is available to avoid such disaster. There are two distinctly different ROI’s from my perspective. The obvious ROI is ‘Return on Investment’ by using technology to improve business process to enhance productivity, decrease operational costs and create a competitive advantage which is rather easy to measure. And then there is the second, not so obvious ROI, which is reduced ‘Risk of Investigation’ through a lax data security strategy. I just wish during my personal experience as a network administrator that the technology existed which would provide the maximum ROI to both extremes. The bottom line is that a sound cyber security strategy is the responsibility of everyone in an organization from CEO, CFO, CIO, CTO, employees to partners and providers so everyone must careful consider and participate in securing data. There is simply no excuse for a data breach.

References:

1. Pentagon exposed some of its data on Amazon server

2. Uber Got Hacked Because It Left Its Security Key Out In Public

3. Uber Is Already Getting Sued Over Its Gigantic Data Breach

“Uber failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach,”

4. Top tip: Unplug your WD My Cloud boxen – now

5. Oxford and Cambridge Club data breach: 5,000 members’ data compromised after backup hard drive stolen

Leave a Reply

Your email address will not be published. Required fields are marked *

twenty + 4 =

This site uses Akismet to reduce spam. Learn how your comment data is processed.