By Trevor J Morgan, product manager at comforte AG
The cloud is an incredibly useful tool for businesses and enterprises that process huge amounts of information. Over recent years, cloud adoption has increased substantially. Indeed, the public cloud service market is expected to reach $623.3 billion by 2023 worldwide as more businesses look to expand operations but lack the tools or resources to deploy inhouse cloud operations. This is especially true for enterprises that process financial or biographical data such as personally identifiable information (PII). Indeed, we are living in a society where data is considered to be the “new gold”, so more and more companies are storing and processing sensitive information, from payment card details, to personal health information. In fact, a study in 2018 found that more than 70% of insurers rely on cloud computing. This rising adoption of cloud computing may be attributed to the increased efficiency, flexibility and speed compared to traditional systems.
However, due to the recent rise in cloud computing adoption, and the significant rise in value for data, many cybercriminals are shifting their focus to targeting cloud architecture due to the wealth of valuable information that they hold. This is particularly concerning as often enterprises fail to properly protect their information that is housed in the cloud, especially if they rely on plain-text data for analytical purposes. In fact, according to a recent study, nearly 80% of companies have experienced a cloud data breach in the past year and a half, establishing it as a worryingly porous attack vector. This may be due to a multitude of reasons such as limited resources, decreased visibility of on-cloud assets, or simply security apathy as occasionally teams will upload data to the cloud under the default security settings or with weak, easily guessed, passwords. Indeed, poorly considered cloud computing operations may have a number of consequences from Magecart attacks, to leaky buckets, the risk of poor cyber hygiene in the cloud can be catastrophic.
In fact, the repetitive cycle of damaging data breaches is one of the factors that has contributed to the various data protection regulations that have appeared across the world. In Europe specifically, there are a number of regulatory frameworks that are in place when it comes to protecting data. The European Union Agency for Network and Information Security (ENISA) published a 2013 paper in tandem with member state data protection authorities in order to provide a working guideline that stipulates recommendations for the assessment of severity of personal data breaches. While this paper is not legally binding, it has historical significance as it aimed to provide a precedential quantitative criteria to measure the severity of data breaches.
In fact, the most severe form of data breaches according to the criteria laid out by ENISA are when “individuals may encounter significant, consequences, which they may not overcome”. This includes financial distress such as “substantial debt or inability to work”. Furthermore, under the recommendations section of this paper, ENISA ranks breached financial information as one of the highest scores for assessing data breaches. Indeed, “any type of financial data (e.g. income, financial transactions, bank statements, investments, credit cards, invoices, etc.)” has a preliminary basic score of three out of 4. In this instance, the threat score of the breach is decreased significantly if the breached information “does not provide any substantial insight to financial information”. Conversely, if the financial information contains specific data sets that can be corroborated to specific induvial, then according to ENISA guidelines, the breach in question would receive a maximum rating of four. This emphasises just how critical this information truly is, and why so many regulatory frameworks have been established to ensure data security.
The paper by ENISA also outlines four categories that data breaches fall into: loss of confidentiality, loss of integrity, loss of availability; and malicious intent. While there is some discrepancy and overlap between each category, it is important to remember that each of these circumstances will also negatively affect your relationship with customers, both present and future. The various definitions of data breaches each bring their own unique challenges that must be appropriately considered. Therefore, in order to mitigate the negative publicity that circles data breaches like a flock of vultures, businesses have begun to deploy a number of controls that will limit the likelihood of falling foul of regulatory requirements, maintain sensitive information while still providing analytical insight, and contribute to the cultivated success and trust between businesses and their clients.
Of these solutions, one in particular has the unique capacity to cover multiple cross-regulatory requirements and provide a security solution that not only meets regulatory frameworks, but also allows the facilitation and analytics of sensitive data. Pseudonymisation has been frequently touted as the best method for both data security and regulatory compliance. The application of pseudonymised data has several applications for data protection, utility, scalability and recovery across various types of identifiers such as IP addresses, email addresses, financial information, biographical data and analysis. While a one fix-all-solution doesn’t exist, pseudonymisation, when properly deployed, has numerous benefits such as reducing the threat of discrimination or re-identification attacks, while simultaneously maintaining the degree of utility necessary for processing data. This state-of-the-art solution is an industry defining process that will provide security teams a measurable return on investment and a more comprehensive security posture.
In fact, pseudonymisation is a technique that has been recommended by ENISA in a recent report. However, the relatively new addition of pseudonymisation to the cybersecurity oeuvre means that there is still some uncertainty requiring education on best practice and use cases. To put it simply, according to GDPR definitions, “pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”. Therefore, one might suggest that if organisations followed the guidelines stipulated by ENISA when they were first released, then it would have laid a strong foundation for the implementation of GDPR. If more enterprises had deployed data-centric security practices that align with the recommendations of information commissioners, then perhaps we would have seen fewer major data breaches hitting the headlines. Instead, many organisations are only just understanding how valuable information is, and are playing catchup when it comes to data security, giving their competition, and cybercriminals, a head start.
Of the various forms of data pseudonymisation, tokenization is being established as a frontrunner. This method works by substituting a sensitive data element with a non-sensitive equivalent. By tokenizing critical data, analytics can be extracted without exposing confidential data, by observing induvial with identical tokens. This method protects sensitive data throughout its lifecycle and, most importantly, if someone were to stumble across this tokenized information, it will be invaluable to them. Therefore, by deploying a security system that protects the data itself, not just the location that the data resides, enterprises will be on their way to achieving a holistic data-centric security mindset that will protect data from unwanted eyes while simultaneously complying with regulations.
The correct implementation of tokenization, or similarly accepted pseudonymisation techniques can be incredibly beneficial to companies who are facing the challenge of procuring a security solution that both ticks the various boxes of respective regulations such as HIPAA, PCI DSS, CCPA and many others, while simultaneously protecting data and affording analytical value.