Data Breaches Are Trending

While IT security in 2018 has been dominated with news about CPU vulnerabilities, we may very well look back on 2017 as the year of online data breaches and cloud data leaks. From stolen consumer data due to unpatched vulnerabilities to sensitive data leaks due to misconfigured cloud storage buckets, it seems that no one’s data was safe in 2017. For a number of reasons, this is a trend that is likely to continue in 2018 and beyond:

The inexorable move from analog to digital means more and more of our data is being stored on computers and websites that are targets for hackers. For example, the Equifax breach impacted 145 million consumers who had personal information stolen.

A greater percentage of company employees work remotely using a wide range of devices from desktops to smartphones. This expands the threat landscape and gives malicious actors more ways to compromise valuable data.

The growth of the public cloud means that increasingly more data is being stored outside of company data centers in repositories that are accessible via public endpoints. This move to the cloud requires knowledge and skill sets that are still in short supply, leading to misconfigured and insecure solutions. For example, a Skyhigh Networks study claims that 7% of all Amazon S3 buckets allow unrestricted public access and 35% host unencrypted data.

Education, security software with better usability, and a growing library of recommended security practices will undoubtedly help, but IT professionals should assume data breaches and leaks are a matter of when — not if. Werner Vogel, CTO of Amazon Web Services, recently said that “every developer should be a security engineer.” I would argue that it is in fact every IT professional’s responsibility to be a security professional, whether you are a developer or an operator.

The Importance of Data Confidentiality

A useful model for evaluating a company’s security posture is the CIA triad, which stands for Confidentiality, Integrity, and Availability. Traditionally, IT has focused on ensuring the integrity and the availability of data but not so much on the confidentiality of data. Not enough thought has been given to ensure not only that company/customer data does not get into the wrong hands, but also that the data cannot be accessed when it is compromised.

That is why the use of data encryption should be a requirement for every company. When (not if) your company’s or customers’ data is compromised, data encryption is the best way to ensure that this data cannot be accessed and misused by malicious actors. Data encryption protects the confidentiality of your data by making it unreadable to prying eyes who do not have a “key” to unlock that data.

If you have not considered the importance of using data encryption pervasively throughout your company, consider the following scenarios:

A malicious actor gains access to your data center or your cloud provider’s data center where they are able to take possession of hard drives from servers and storage systems.

A malicious actor breaks into a server or workstation on your company network and gains access to and downloads data from your network drives.

A remote worker uses a public WiFi network (perhaps at their local Starbucks) to access sensitive company data. The communication is intercepted by a malicious actor who now has access to that data.

A remote worker has their laptop stolen at an airport and now any sensitive company data on the laptop is in the hands of the malicious actor who stole it.

A company stores backup data in a cloud storage bucket that can be accessed via a public endpoint. A malicious actor gains access to the bucket and to all the data that resides in that bucket.

The above are just a few of the possible scenarios in which valuable data could be compromised. But encryption, both in transit and at rest, would play a critical part in protecting the confidentiality of that data. To help bring clarity to this topic, we will, in future posts, be diving into data encryption in general and cloud encryption in particular.

Defining our Scope

Since this such a big topic, it’s helpful to define the scope of the series:

Encryption is a critical component of cybersecurity but by no means the panacea for all problems. The best security posture takes a multi-layer approach where data is secured end to end.

Encryption can and should be leveraged for a number of use cases including user authentication, data integrity checks, digital signatures and non-repudiation. This series, however, will focus specifically on data encryption.

It is important that data be encrypted both in transit and at rest. The former focuses on encrypting the communication channel between two entities while the latter focuses on encrypting stored data. For this series, we will focus specifically on encryption at rest.

Data residing in physical servers and storage subsystems can be encrypted, and while the overview in the first two blog posts will be applicable to those use cases, the series will be primarily focused on data encryption in the Cloud.

Security is no longer just the domain of a company’s Chief information Security Officer (CISO) but the responsibility of every IT professional. Stay tuned as we explore data encryption at rest and how it can be used to protect you and your company.

To learn more about this topic, check out our blog post on ransomware trends and security best practices.