Data Security
The current emphasis in the cybersecurity world is on countering hacking operations. So naturally, organizations invest heavily in preventing outsiders (sorry for the old terminology :-) Zero Trust will come soon) from entering their networks and do whatever they can to prevent these hackers from accessing data once inside the perimeter. But the shifting technological and business landscape makes this perception obsolete.
The new IT architecture that involves on-premise assets, Cloud and hybrid ones (as well as mobile and websites) make it extremely hard to defend against threats. Moreover, the actual perpetrators have changed. The new structure allows even non-professional hackers to gain access to data that was previously only possible through extremely difficult “hacking”. Examples are widespread. A marketing services firm left an unprotected MongoDB database that led to the exposure of 982 Million email accounts (that’s nearly one billion individuals). An Unsecured Gearbest server exposes millions of shoppers and their orders. Dozens of companies leaked sensitive data thanks to misconfigured Box accounts. I recently attended a lecture by Noam Rotem (white hat hacker for fun) that emphasized how easy it is to compromised organizations. His examples were shocking
Noam Rotem waves his hands in despair
And to prove that there’s more than money at stake- a recent data breach exposes data of 34,000 medical marijuana patients- including Diagnostic results, healthcare numbers, and personal contact information, all of which are sensitive
But it’s not always about “hacking” (or any activity aimed at obtaining data). The move to the cloud allows even employees (or ex-employees) to access data, and if they wish to, to manipulate it.
Our Data is safe in there, we think
Just recently a British man was sent to prison for two years after he wiped out his last employer’s business-critical data in cloud storage, according to a report by the United Kingdom’s Thames Valley Police. An IT consultant at a digital marketing and software agency was sacked for poor performance, so he used a former coworker’s Amazon Web Services (AWS) account to access 23 AWS servers, where he deleted data related to the firm’s clients. The act cost the company £500,000 in lost contracts, and the data was never reconstituted. Given that (according to a recent survey) 30% of IT professionals still consider cybersecurity as the responsibility of their cloud service provider, it is easy to see why such incidents are plentiful.
To solve these esechallenges we must use both technological means (better security mechanisms) and improved regulation. A simple example of regulation at work (other than GDPR J) would be the one mandated by The Australian Taxation Office. It has implemented security standards relating to business owners offering cloud-based payroll services.
The final component is, of course, better awareness and proficiency by security professionals. It is up to them to identify the potential pitfalls of this new enterprise architecture and make sure they secure it using technologies and procedures (no security product will help if your DevOps team saves passwords in clear text on GitHub, or misconfigures an AWS server).
This leads directly to the subject of Zero Trust architecture. A super interesting topic that is everywhere now. Well, Leia (my one and only princess) woke up… time to initiate in-house security, so, more on this next time.
Keep safe! Dotan