ISSUES OF THE DAY MAY ISSUE.

Digital Identities

Gaining Security And Trust

Our modern digital world has proven that the current way of managing identity in cyberspace needs to change. If your digital identity is compromised by?your activity online, it’s a safe bet that it is already being controlled by conglomerates. With the push of a button or an automated algorithm, digital identities can be compromised instantaneously. But what is a digital identity? Rather, what is your digital identity, and how do you protect it?

In the physical world, we have many forms of identification to help prove we are, in fact, who we say we are. We have driver’s licenses, passports, credit cards—even library cards help establish our identity. In the digital world, these tangible items consist of usernames and passwords, which we use to access our identity objects—our tweets, Facebook photos, email and personal bank accounts.

Anything we do online makes up our digital identity. Rather than ‘holding’ onto these items ourselves, they are often stored and managed by identity providers (IdPs). In using an IdP, the user has shifted all responsibility for identity protection to a system that is, in essence, merely protected by a password. In a world where stolen identities are on the rise and identity theft happens every 22 seconds, this makes no sense.

Anyone who steals the IdP password also could steal your identity.

Decentralised Identity Might Be The Key

Why should a third-party system have so much control over verifying your identity? The answer is, they shouldn’t. Data in an IdP can be easily modified or even erased—then what happens? The IdP could mistakenly leak your personally identifiable information (PII), blocking access to your identity and consequently blocking access to sites using your data. You could be locked out of your identity. For example, if Google terminates your account, you won’t be able to log into hundreds of other applications, which all count on Google to verify you.

A third party should not have that much control over your ability to authenticate yourself. That’s where a fairly new concept known as decentralized identity (DID), or self-sovereign identity, comes into play.

A DID framework establishes unique and secure access connections between users and systems without a third-party IdP. It is controlled and, more importantly, managed by the account holder—you!

It’s like a digital wallet—the user is responsible for keeping their identity secure. There is no exchange of passwords; biometric authentication is used and the user only releases the minimum information required to establish a secure and trusted connection. With DID, an underlying?decentralized blockchain?ensures identities are cryptographically authentic and tamper-proof.

Decentralized identity reduces fraud via enhanced security and passwordless access to help ensure system and network integrity, user privacy and elevated compliance.

DID IN ACTION

Though DID is still a fairly new concept, some rather large companies are taking the plunge and taking a chance on decentralized identity management. Microsoft, for example, is collaborating with members of a newly formed?Decentralized Identity Foundation?(DIF) to develop standards, identify technical components and code deliverables for an open source DID ecosystem.

The DIF recently introduced Microsoft Entra Verified ID which uses DIDs to cryptographically verify user information and prove that the user is the owner of a verifiable credential.

There are three primary steps in Microsoft’s verifiable credential solution:

1. A user requests a verifiable credential from an issuer.

2. The issuer of the credential attests that the proof the user provided is accurate. They then create a signed verifiable credential.

3. The user signs a verifiable presentation with their DID and sends it to the verifier. The verifier then validates the credential by matching it against an issuer’s public key on the blockchain.

DID Vulnerabilities

As with any new technology, DID brings its own security risks in managing and securing a new attack surface, which consists of blockchain code, private keys, post-authorization cookies and nodes.

Blockchains store identity operations—everything from creating an identity, revoking keys or even restoring an identity—and are made up of code. Code can be broken; it can contain bugs that eventually turn into vulnerabilities. Since DID is a new concept, the possibility of security issues introduces a different attack surface. The average person can’t keep track of an entire blockchain-that’s what nodes are for. They also provide reliable data for the chain. However, some nodes can be malicious. Threat actors can target nodes and modify the user’s data. This is an ongoing challenge across all decentralized systems.

Not all cybersecurity breaches get reported. A new report from Bitdefender found that although IT leaders have an obligation to report attacks, over 42% of them have been told to keep quiet.

CISO's ?may have reasons to keep attacks confidential, but the high rate of silence is alarming since it could further enable attackers and limit knowledge sharing about public vulnerabilities. Retaining confidentiality of data breaches may also go against new data breach laws in the U.S. and EU. But this is only one of many concerns around cybersecurity in 2023. IT professionals report grappling with rising threats,?economic headwinds, and a shrinking staff lacking the proper security skills.

New Data On Concealing Breaches:

Over half (51.7%) of organizations reported experiencing a data breach or data leak in the past 12 months. Software teams are facing a?rising number of attacks?across areas like vulnerable software,?open source components?and?unknown dependencies. However, it turns out that many of these breaches weren’t handled with transparency in mind.

To reiterate, a shocking 42% of IT leaders have been told to keep a breach quiet when they know they should have reported it. And 29.9% admitted they have kept a breach confidential when they know it should be reported (a figure that rises to 54.7% in the U.S.). This data demonstrates a bit of integrity on the part of IT professionals to disclose breaches, but many face an uphill battle depending on the internal culture.

Interestingly, the culture around breach concealment changes drastically depending on the geography. While retaining confidentiality is relatively high in the U.S., it is far rarer in European countries. For example, in France and Germany, just 26.9% and 35% CISo's have been told to keep quiet regarding a breach, respectively.

Companies are likely worried about financial and reputational damage due to a data breach. Yet, if new regulations that require?increased cybersecurity reporting?are unmet, it could result in high legal repercussions and fines. As a result, 54.3% said they were worried about their company facing legal action due to a security breach being mismanaged. Again, in the U.S., where breach concealment is highest, 78.7%?worried about facing legal action due to mishandling data breaches.

Hackers have turned to weaponizing their actions and treating malicious actions as a lucrative business. So, what kind of threats are organizations most concerned about? This year, software vulnerabilities and zero-day attacks rank highest, at 53.9%. This makes sense, given the trend of high-risk remote code execution vulnerabilities discovered, from?SUNBURST?to the infamous?Log4j vulnerability. This risk is followed by social engineering threats and phishing attacks (52.2%),?supply chain attacks?(49%) and ransomware (48.5%).

Unfortunately, most IT and cybersecurity professionals (72%) reported their company had seen an increase in the sophistication of phishing attacks. These psychological attacks take advantage of human weaknesses or the lack of awareness of internal employees. This underscores the need for a?zero-trust approach?to adequately safeguard digital environments in the age of the remote and hybrid workforce.

To address persistent security concerns, nearly 74% said they planned to increase their security budget for 2023. A full 93% also said proactive threat hunting is very important to detect and respond to threats.

Yet, vendor solutions aren’t always living up to the market hype. Leaders reported the most significant challenge with security solutions was extending capabilities across multiple environments. This makes sense, given a company’s IT stack is often quite varied and uses multiple deployment locations. This challenge is followed by complexity, a lack of skill sets and incompatibility with other security solutions.

Final Thoughts

No one is completely immune from cybersecurity threats, and the role of addressing security is becoming more of a company-wide issue. The report found that the biggest myth around cybersecurity is that “security is solely the responsibility of the IT team.” It will take greater awareness to instill a culture of security best practices to limit insecure coding and thwart social engineering tactics.

The bar is quite high for security—and resolving security vulnerabilities won’t likely rest on a single technical solution provider. At the same time, organizations appear to desire comprehensive solutions compatible with various IT stacks and other tools. They must also expunge myths like “our organization is not a target for cybercriminals,” an attitude that may live on due in part to a lack of disclosure around exploits and leaks.

Conducted by Censuswide, the Bitdefender 2023 Cybersecurity Assessment surveyed 400 IT professionals working in organizations with over 1,000 employees in the U.S., Italy, UK, Germany, France and Spain.

Data Sovereignty

Massive amounts of data are generated globally every second, making their wrongful use and distribution across the digital landscape inevitable. As a result, it can be difficult to manage?business-critical data. In addition, the widespread adoption of cloud computing services along with new data storage approaches have eroded the geopolitical barriers significantly.

This has resulted in a surge of uneasiness among data regulators round the globe concerning data privacy and security. The rise of recent?high-profile data breaches and cyberattacks?have propelled governments to take extra measures to prevent citizens from falling victim to these threats that are not limited by countries, regions or borders. This is where the concept of?data sovereignty?becomes crucial.

In this blog, we’ll dive deep into the notion of data sovereignty, understand its significance, benefits and challenges, explore the concept of data sovereignty as it relates to cloud computing and SaaS applications, and see how Spanning Backup can effectively tackle the issue of data sovereignty for your critical cloud-resident data.

What is data sovereignty?

Data sovereignty refers to the idea that the data collected, stored or processed by an organization is under the jurisdiction of the nation where it’s collected. In simple terms, the government can regulate how the data originating within its territory gets collected, stored, processed and distributed.

This means a business has to store the personal data of its customers in a way that complies with the data privacy regulations and guidelines of the host country. Failing to do so can result in heavy fines or forcing the company to fulfill the requirements in another way.

Why is data sovereignty important?

As more and more data gets generated and collected via various channels, such as ecommerce, mobile devices and social media, there is a high chance of chaos and confusion when safeguarding this massive pile of digital information. Bad actors can quickly take advantage of this confusion to wreak havoc. With an evolving presence in laws and regulations across countries, nations and states, data sovereignty ensures sensitive data, like personal information or trade secrets, aren’t easily abused by cybercriminals. It also helps businesses access their data in the event of a disaster or disruption. Keeping data within their jurisdiction allows businesses to recover it quickly when needed.

Data sovereignty can also provide a competitive advantage to companies willing to comply with local regulations. This demonstrates a commitment to protecting customer data, building trust with customers and gaining an edge over those who disregard data security.

How does data sovereignty work?

Data sovereignty is the concept that data is subject to the jurisdiction of the nation where it’s collected, not the law or regulation itself. So, a business based in the U.S. will still have to comply with the General Data Protection Regulation (GDPR) of the European Union (EU), along with any other local law, if customer data is collected from France.

If the same company collects data from Canada, it must comply with Canadian data sovereignty laws. Therefore, organizations operating across international borders in terms of data collection and processing face a higher degree of complexity while dealing with data.

What is an example of data sovereignty?

Today, the data sovereignty landscape is complex, with multiple legislative bodies touching this area. One such prominent institution is the?Australian Privacy Principles (APPs), which govern how a business deals with and stores personal data. According to this set of principles, personal data kept in Australia must meet the 13 standards specified by APP, including how to use and collect data and a person’s right to access the data.

Another such institution, the?Canadian Consumer Privacy Protection Act (CCPPA)?provides control of the data to the customers and is very transparent about how an organization uses data containing personal identifiers.

So, when it comes to data protection, things can get complicated quickly. Private users and companies using cloud services and external servers are often unaware of their role in the ownership of the data. This is where data sovereignty comes into play.

What is the difference between data sovereignty and data residency?

Data sovereignty often gets confused with “data residency,” particularly by organizations managing cross-border data flows. Although both are part of the same basic concept, it’s crucial to know the differences between them and how they impact the organization’s data and business operations.

Data residency?refers to the physical location where a company decides to store its data. Data residency requirements are mainly because of policy- or regulation-related reasons. One such scenario of regulation-related data residency requirements is when businesses store data in a specific country because of tax advantages. To leverage the tax advantage, the businesses ensure they do most of their operations within the nation’s borders. That’s why data is stored in a geographical location within the borders. Whereas?data sovereignty?refers to designating the geographical location where data is stored and being the subject of that nation’s law.

While data residency ensures data stays within the specific geographical boundary, data sovereignty sees that the information is subject to the jurisdiction and legal protection of the country where it’s physically stored.

Then comes the idea of?data localization, which involves ensuring certain types of data get stored and processed within a particular country.

In a nutshell, data sovereignty is a broad term comprising data localization and data residency. From a business perspective, all three concepts should be considered when managing data.

What are the benefits of data sovereignty?

Data sovereignty can be instrumental in stimulating the digital economy and provide multiple benefits such as:

• Individuals can easily switch providers, enabling their data to be commercialized by businesses.
• Companies can trade more securely, easily and cost-effectively with other organizations.
• There will be more digital competition since customers are no longer locked in with their data.
• Faster commercial innovation is encouraged.

From an ethical perspective, data sovereignty is also crucial because companies must respect their customers’ data and its privacy and sensitivity.

What is the problem with data sovereignty?

Data sovereignty law/requirements differ from place to place, making it difficult to understand and navigate. Here are some of the challenges related to achieving compliance:

• Relatively new kid on the block?— Data sovereignty is a new concept and does carry a bit of uncertainty with staying intact. Laws tend to evolve quickly since countries make changes in policies. So, changes in legal frameworks and geopolitical situations can impact data sovereignty requirements, making the environment challenging for businesses.
• Cross-border data flows?— For businesses who want to expand beyond their borders, things become more complicated. There’s an increase in the cost and complexity of handling data?since it becomes difficult to determine which data sovereignty laws the business should abide by.
• Operational costs?— Data sovereignty laws can result in higher operational costs. For example, it might be necessary to change the way of collecting, storing and processing data to ensure all the relevant rules and regulations are accommodated. Companies might have to make repeated changes to this to maintain compliance as the laws are rapidly evolving. This can increase the cost heavily.
• Data mobility?— Data mobility can be affected by data sovereignty laws. It can restrict how a business moves its data from?one point to another. It also means that specific cloud locations and services cannot be used. Even certain forms of encryption and security arrangements will not be permitted.
• Cybersecurity risks?— To prove compliance with data sovereignty laws, organizations need to mention in detail how they handle clients’ sensitive data. This can be exploited by cybercriminals to target and compromise data, resulting in severe financial and reputational consequences.
• Software-as-a-Service (SaaS) and cloud infrastructure?— SaaS and cloud services are often distributed in multiple locations, making data sovereignty an issue. The challenge depends on where the provider is based and where and how it will be collecting, storing and processing the data.

What are the requirements for data sovereignty?

With more than 100 countries now enforcing laws related to data sovereignty, things are bound to get complicated. Balancing the protection of corporate data, personal data and a strong market position will be difficult. That’s why understanding the legal frameworks — consisting of both individual contract agreements between clients and service providers as well as national and international data protection regulations — is essential. This allows users to be aware of how their personal data gets processed. Simultaneously, the analysis of user data is also crucial.

Thorough knowledge of how and where the data gets stored is a primary consideration of data sovereignty. It helps to understand the region where data is stored and the regulatory requirements of that region.

When the data is in transit, the following considerations can come in handy:

• The type of data typically transferred
• From where to where the data gets transferred
• How often does the data get transferred between geographical regions

Being aware of the source and destination region helps determine any legal issues and adjust data flow accordingly to comply with the appropriate legal jurisdiction. Also, there should be a privacy policy that will transparently communicate the measures taken to securely process data.

Does the U.S. have data sovereignty laws?

The U.S. data security measures are far behind those of European counterparts. Although the federal laws in the U.S. do little to protect their citizens from data misuse, certain states have started implementing laws of their own, regulating the handling of data.

California was the first state to pass a data privacy law modeled after the European GDPR. As per GDPR, any company collecting or processing the personal data of EU citizens must store the data within the EU or somewhere with similar levels of data protection. The?California Consumer Privacy Act (CCPA)?takes a cue from this framework.

One of the most common laws related to data sovereignty in the U.S. is the?U.S. Patriot Act, according to which the American government has the authority to access data physically stored within the country, regardless of its origins. This means a European citizen’s data is exposed to the U.S. government if the information is physically stored within the U.S. borders.

In June 2022, the U.S. House of Representatives Committee on Energy and Commerce voted in favor of the?American Data and Privacy Protection Act (ADPPA)?that would provide federal protection of personal data. However, it’s yet to be implemented as it still needs approval from higher authorities.

What is data sovereignty in the cloud?

Many countries have limitations on data transmission outside their borders, whereas many have privacy laws restricting the disclosure of personal data to third parties. So, companies conducting business in these countries could be prohibited from transferring or sending data to third-party cloud providers for storage or processing.

Data stored by the companies in the cloud might come under the jurisdiction of more than one countries’ law. So, there will be different legal requirements regarding data security, privacy and breach notification. This is even more complicated for companies using hybrid cloud strategies, where each cloud deployment must adhere to separate, local legal requirements — an extra layer of confusion to an already challenging concept.

Therefore, companies using cloud infrastructure must address data sovereignty concerns holistically by incorporating every department in risk management and governance processes.

When it comes to the three major cloud providers, let’s see how each of them tackles this issue:

• In the case of?Microsoft Cloud Infrastructure, data sovereignty revolves around how Microsoft manages and restricts access to customer data, including legal policies for government and law enforcement requests for data.
• Google Cloud?has come up with?Digital Sovereignty Explorer, which is designed to take individuals through a set of questions about their organizations’ data sovereignty requirements.
• One of the easiest ways to address this issue is to implement a Cloud Data Protection Gateway. When deployed with a specific form of?Salesforce Tokenization technology, it allows sensitive data to stay physically on-site and only sends replacement values to the?Salesforce Cloud.

How do you ensure data sovereignty in the cloud?

Implementing cloud data sovereignty best practices can help simplify this challenging concept. At the same time, companies need to be aware of the legal and regulatory environment while maintaining full compliance.

Keeping things simple

When dealing with such a complex set of laws, rules and regulations, it’s crucial to simplify. Organizations can uniformly implement measures that comply with the strongest data protection laws. This includes conducting a comprehensive audit of their data and staying up to date with changes in data protection laws and regulations in the countries they operate.

Keeping track of backups

Data sovereignty applies to backup as well. So, understanding how an organization backs up its data is important — on-premises, using public cloud services like Amazon S3 or dedicated cloud services like Dropbox or Google Drive. Evaluation of these backup options ensures they align with the respective region’s data sovereignty requirements.

Using cloud providers with data residency options

Organizations can safely rely on major cloud providers like AWS and Microsoft for data sovereignty compliance. Many of these providers operate in-country data centers and come with various other features, including data encryption and security services, ultimately helping customers achieve compliance with local data laws.

Blindly relying on cloud providers for compliance is not an ideal option. Opting for a third-party cloud provider that ensures the data is stored and processed in specific regions or jurisdictions is necessary.

These letters are often associated with the formidable United States spy agency. However, in cybersecurity, CIA refers to a triad of concepts that serve as the core building blocks in establishing effective security systems. These are confidentiality, integrity, and availability.

Confidentiality calls for the protection of sensitive data from unauthorized access. Integrity is about the completeness, accuracy, and tamper-proofing of data. Meanwhile, availability entails the accessibility of complete and accurate data for those authorized to access it. These concepts sound simple and unsophisticated, but they form the foundation of dependable security systems, which are crucial amid the growing aggressiveness of cyber threats.

In 2022, the FBI’s Internet Crime Complaint Center (IC3) reported a?68% increase in cybercrime complaints?compared to pre-pandemic levels in 2019. This underscores the urgency for organizations to reevaluate and adapt their cybersecurity strategies to effectively balance the need for confidentiality, integrity, and availability in the face of new challenges and threats.

The conflict between confidentiality, integrity, and availability

As building blocks of a security system, the elements of the?CIA triad?are expected to be complementary to each other. However, these concepts can pose challenges to each other’s actualization. Here’s a look at how confidentiality is important but also potentially a hindrance in achieving data integrity and availability, and how integrity can make it difficult to ensure that data is highly available.

Confidentiality vs. Availability

Confidentiality requires the imposition of limits on data access, which can make data less available. By implementing data encryption, access controls, user authentication, and other security controls, data access becomes limited and available only to selected users. Some would view these controls as an inconvenience, especially among those who have been accustomed to being able to access data easily because of their positions or long tenure in an organization. There are also instances when even those who have authorized access have a hard time getting the data they need because of authentication protocols and other security measures.

On the other hand, availability in the field of information technology is not just about data being accessible. This accessibility also needs to be granted in a timely and speedy manner, especially in the age of DevOps and agile development. It is unproductive to make users wait turns to download files or have their data transfer speeds curtailed because of multiple users accessing the same server. Redundancy, load balancing, and disaster recovery planning should be in place to ensure fast and timely availability.

One example of the confidentiality-availability conflict is demonstrated in the use of strong encryption for sensitive data. While encryption helps ensure confidentiality, the corresponding decryption can take some processing overhead, making the data not immediately available to authorized users. Similarly, enforcing strict access controls may improve confidentiality but can also cause delays in accessing critical systems, especially during emergencies.

Confidentiality vs. Integrity

Integrity suggests completeness, accuracy, and being free from unintended modification or distortion, which are attributes everyone would want for their sensitive data. However, there are instances when data integrity efforts result in weakening confidentiality.

One example of the confidentiality-integrity conflict is the use of data hashing for authenticity verification. While hashing ensures data integrity, it can potentially reveal patterns or other information about the original data. This can result in data confidentiality breaches. Another notable scenario demonstrating the confidentiality-integrity conflict is the logging or monitoring of activities involving data access or modification. This is helpful in maintaining data integrity, but it may inadvertently expose sensitive information to unauthorized personnel.

Organizations usually implement measures like checksums, digital signatures, and version control systems to detect and prevent unauthorized modifications. However, some integrity controls might create opportunities for security breaches. For instance, version control systems, which are part of software supply chains, can become an attack vector. The?Kaseya ransomware, for example, was spread to thousands of unsuspecting users by exploiting vulnerabilities in cloud-based software repositories.

Integrity vs. Availability

A possible integrity-availability conflict could arise in situations where frequent data backups are performed to ensure availability. This practice increases the risk of unauthorized modifications and the propagation of data corruption, thus affecting data integrity. Backups and redundancies are important, but careless configuration can turn them into vulnerabilities.

Also, many organizations tend to prioritize uptime over security updates and system maintenance. They delay the application of crucial software patches to avoid going into temporary downtime. This practice is unsafe and can result in serious security issues, as it allows vulnerabilities to be open for possible exploitation for a long time.

High availability can be achieved without sacrificing data integrity. Unfortunately, many organizations fail to implement suitable measures and balance in configurations to achieve both.

Strategies in Balancing the CIA Triad

Successfully balancing the CIA Triad requires organizations to implement a combination of strategies that address the trade-offs and conflicting priorities among confidentiality, integrity, and availability. The following key solutions can help.

Risk Assessment and Management

To determine the most suitable security controls to use and the proper configuration, it is vital to undertake risk assessment and management. This involves the routine identification of threats and vulnerabilities to understand the risks an organization is dealing with. Sometimes, organizations use excessive encryption for almost all of their data to ensure confidentiality. This may not only be unnecessary but also potentially antithetical to the goal of high availability.

Risk assessment is a precursor to risk prioritization, which is important in determining which data should be kept confidential and what kind of methods to use to achieve the desired confidentiality. For example, the encryption of all backups and all network traffic can become counterproductive, as they considerably slow down access to data used in routine tasks that are already secured by other security controls like web application firewalls.

Layered Security Approach

Another way of balancing confidentiality, integrity, and availability is by implementing layered security. Instead of having an all-in-one security approach across the board, different security controls can be used for different scenarios. This does not mean, however, that only one security control may be employed for certain processes like only implementing access control during logins and encryption when using communication apps. Multiple controls may be used for certain actions as necessary.

The point of having layered security is to make sure that there are no single points of failure. If one security control fails to stop an anomalous action, there should be another control on another level that can detect and block the anomaly that made it through a control level that failed. Some controls become dysfunctional because of a glitch or the failure to apply security updates.

Layered security is a form of redundancy designed to anticipate software issues and other problems that allow threats to penetrate. This approach provides a more robust cyber defense, making it easier to balance the objectives of the CIA Triad effectively.

Adopting a Data-Centric Security Model

Cybersecurity is sometimes referred to as a data problem. Threat actors chase data because it is known as the?currency of the digital age?and it can provide hints about vulnerabilities. Cybercriminals steal or corrupt data for various purposes. Also, hackers analyze data to find security weaknesses or opportunities to attack.

As such, it is important to focus on protecting data at its source and establishing a data-centric model, one that prioritizes the security of data instead of fixating on the protection of systems. Data should be evaluated to determine its sensitivity. Low-risk data may not need strong security measures while high-risk ones should be prioritized in implementing security techniques that tend to slow down processes and reduce availability.

A?security model?that has data at its core helps in making informed decisions on security concerns. It tends to be proactive as it also looks into patterns in the threat landscape instead of merely reacting to security events or threats detected by the controls.

The need for a strategic balancing act

Balancing the CIA triad is far from easy. Organizations need expertise and experience to properly determine the right security measures or controls to implement and the best configurations. It is crucial to be aware of the trade-offs and to reconcile conflicts in achieving confidentiality, integrity, and availability.