Sunday , 23 September 2018
Home » NEWS » THIS WEEK’S GURUS » Why Access Controls Are Not Enough to Stop Data Breaches
Linus Chang, CEO, Scram Software
Why Access Controls Are Not Enough to Stop Data Breaches

Why Access Controls Are Not Enough to Stop Data Breaches

By Linus Chang, CEO, Scram Software (https://scramsoft.com/)

Data breaches have quickly morphed into an alarming epidemic. This is evidenced by the fact that they have become so commonplace, they’re seen as a given now rather than as shocking news. Recent history offers countless examples of breaches that can be instructive as to what’s going wrong, but here are just a few:

  • In June of 2017, the Republican National Committee leaked data on 198 million Americans, due to human error that led to a cloud misconfiguration that exposed a massive amount—about 1.1 TB—of personal information on American voters. The data that was leaked was not even password-protected, resulting in the largest breach in the U.S. to date.
  • Also in 2017, a security lapse exposed the critical servers at Stewart International Airport in New York for a full year. This human error was traced back to insecure hardware configuration defaults, which resulted in sensitive data being left open to the world including critical government files, a password list, and gigabytes of emails.
  • An earlier hacking attack involved iCloud leaks of nearly 500 private celebrity photos, many containing nudity, being shared publicly. This was traced back to a vulnerability in the iCloud API, which allowed unlimited attempts at guessing passwords without lockout and concurrently targeted attacks via phishing methods.

And it isn’t just individual companies or small groups of customers that are suffering from these incidents either. Research shows that half of Filipinos, half of South Africans, and two-thirds of Americans have been affected by breaches.

Protective Layers

One might assume that after a few such devastating events had taken place, IT security would do what it takes to safeguard data. After all, humans (even developers and systems administrators) make mistakes. There are also potential threats from first and second parties—from within your company or your vendor base—as well as third parties. But based on the expanding rather than decreasing number of data breaches worldwide, it’s clear that organizations are failing to take the necessary steps for better data protection—specifically, by adding encryption as a technological safeguard that protects data even in the event that access controls are breached.

Studies have proven that when a data breach does occur and data is stolen, 96 percent of the data is unencrypted, essentially up for grabs by cybercrooks. Why isn’t encryption being used when it should be for data at rest? The problem comes down to the erroneous belief among many IT professionals that perimeter security is all they need. So once they’ve “secured” their network, they don’t bother to implement security within the network. Clearly in a cyber world, it simply isn’t enough to just implement access controls and perimeter security because once someone is inside, it becomes a free-for-all. Another safety net is needed as an added layer of protection, to catch companies when they fall, if you will.

Home Invasion

To give a simple analogy of why access controls alone don’t work, think about if you had to figure out the best way to store a $5 million diamond in your home. The smartest solution, clearly, would be to employ not just one layer of protection, but instead multiple layers. You’d no doubt start by locking your doors and windows—“perimeter security” for your physical home.

But even so, you’d recognize that determined thieves can always find ways through these “access controls.” So you wouldn’t just leave the diamond lying in full view on the kitchen table. Instead, you’d put it in a safe, with a combination and extra key for another layer of security in case the locked doors and windows failed to do their job.

When dealing with sensitive data, it’s as valuable as a diamond when you price out the consequences of having that data compromised, so these files also need to be secured in a “safe” of sorts. Encryption acts as the equivalent of a physical safe, keeping in mind that in the cyber world, it’s virtually impossible to lock only the doors and windows and stay secure, since an IT system has countless potential points of entry. So it’s even more crucial to have a breach mitigation strategy at the ready.

Steps to Security

Instead of relying only on access controls, IT professionals should routinely encrypt their primary copies of data—and even more importantly, their secondary copies of data—including all backups, migrations, archives, and transfers, as well as their live data. The best practice for administrators is to automate this process by building it into their current automated scripts so that each and every backup will be encrypted without hassles. Some systems don’t support encryption, such as MySQL free edition, so you can use encryption tools to get around this. Don’t stop with backups, though: you should also encrypt all transfers between parties.

Choose wisely, as not all encryption systems offer equal results. A strong encryption system should leak no information while locking out the adversary. Ideally, your end-to-end encryption solution will have the capability to encrypt both data and metadata, support cloud storage and local storage, and protect against integrity attacks such as substitution, not just privacy.

As you take these steps, keep in mind that there are multiple reasons why you are doing so. Data security is now not only a legal requirement under GDPR and other privacy legislation, but it has also become a moral obligation for businesses that keep customer data. Companies are considered the custodians of consumer data, and organizations that fail to properly protect it can find themselves facing hefty fines. So it’s important to secure this data with multiple layers of defense, as if it really were a precious diamond.

By examining why data breaches keep occurring, the solution becomes clear. IT professionals need to learn the lesson behind the shortfalls in implementing only access controls, and instead adopt multiple layers of security. Encryption is the number-one most effective strategy you can employ to secure data privacy and integrity, and is the cyber world equivalent of keeping your data in a safe, not out on the kitchen countertop. By encrypting all backups and live data, and then protecting the keys and credentials carefully, you have your answer on how to circumvent breaches, secure data, and make the world a safer place for companies and consumers alike.

 

Linus Chang, CEO, Scram Software (https://scramsoft.com/) Bio

Linus Chang is a computer programmer and entrepreneur from Melbourne, Australia.

Chang started programming computers aged seven. He spent his spare time coding up hobby projects and learning different programming languages, winning numerous awards and subsequently representing Australia in programming as a teenager. Shortly after graduating from Monash University (Melbourne, Australia), he ventured into business and entrepreneurship. Linus is also known for creating the BackupAssist product, which has sold over 100,000 copies to the Small to Medium Business (SMB) market in 145 countries.

Chang has a passion for creating mass market software products that solves real world problems and makes people’s lives better. Chang founded Scram Software to address the security issues faced by businesses when using the cloud.

About Japonica Jackson

Japonica is head of editorial at IT Security Guru. If you'd like to get in touch with Japonica, please email editor@itsecurityguru.org.