Four Data Security Falsehoods Harming Your Company Right Now
Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Arti Raman of Titaniam tackles four data security misconceptions that will impact your company if left unchecked.
Organizations’ fast pace of digitization, rapid adoption of cloud services, and enablement of hybrid workforces have increased their data security challenges. A recent survey found that cyber-criminals can penetrate 93 percent of corporate networks, with credential compromise used in nearly three of four attacks. So, these leaders are right to be concerned. And they have the backing of business leadership in solving problems. Some 40 percent of leaders identified cyber risks as their number-one concern for 2022, and more than two-thirds increased cybersecurity budgets in 2022. However, the risk is that organizations may focus on the wrong priorities due to some common falsehoods that persist in the data security industry. Here’s what those untruths are, why they’re wrong, and what IT and security teams can do about them.
Widget not in any sidebars
4 Data Security Falsehoods
Falsehood #1: You Can’t Protect What You Can’t Classify
Summary: There is too much data out there and it is growing too fast to follow the approach of first classifying and then protecting. If we are going to get ahead of the exploding data trend, we will need a way to secure data as it is created. Data needs to be “born secure”
Organizations capture customer, process, machine, and other data and aggregate and store it on-premise, in the cloud, and increasingly at the edge. IT teams use artificial intelligence to prepare data for analytics and gain a richer picture of enterprise performance. In a survey, data professionals said that their data volumes were growing at 63 percent per month on average, while one in 10 said volumes were growing at 100 percent in the same timeframe.
Organizations classify this data to ensure information confidentiality, integrity, and availability. By classifying data, IT and security teams can ensure it is properly protected, controlled, and accessible to users. However, exponential data growth is creating classification delays, even when organizations use best-of-breed platforms such as data loss prevention, cloud access security broker policy enforcement, data scanning technologies, and more. This negatively impacts the performance of business applications and the productivity of workers.
There’s a better way to address this dilemma. Instead of doubling down on legacy approaches, IT and security teams can deploy a data security platform that enables encryption-in-use. Data encryption-in-use allows employees to use all of an organization’s data: searching, analyzing, and processing it, without waiting for data classification processes to complete.
Falsehood #2: Payment Card-Style Tokenization Protects Other Data
Summary: Payment card data is unique in its origin and purpose. It serves a single purpose and has no inherent meaning. This is why it lends itself to being tokenized. Other valuable data does not share this characteristic and so we must avoid forcing a square peg into a round hole.
Tokenization platforms convert critical business data with an unrelated and randomly generated token (vaulted tokenization) or a cryptographically generated one (vaultless tokenization). Since applications and databases don’t use sensitive data, attackers don’t gain anything of value if they break into systems.
This technology is used by retailers, credit card providers, government agencies, and healthcare companies to protect data such as financial transactions, social security data, and medical information. Some 40 percent of organizations spend more than $1M on these solutions annually. The difficulty is this technology is incredibly cumbersome. It is expensive, disruptive, ineffective, and a barely usable security control. Credit card companies market it heavily because it works more or less well for payment cards, which are already tokens. So, for this use case, tokenization swaps one token for another.
Tokenization doesn’t work as well for other data types, especially when business owners want to use their data for analysis, new product development, or other purposes. They’re then confronted with two bad choices. Users can either detokenize the data every time it’s needed, which is inconvenient and slow, or not tokenize it at all. Both approaches create security risks. These issues are why 99 percent of business users are dissatisfied with traditional tokenization methods.
There’s another way to protect sensitive data. Organizations that use data encryption-in-use platforms gain next-generation tokenization capabilities that offer both vaulted and vaultless options. Business teams can use both structured and unstructured data for search, tagging, and analytics. Organizations enable more use cases, while still encrypting data and meeting customer and compliance requirements.
Falsehood #3: Zero-Trust Means Only Trusting Authenticated Users
Summary: Zero Trust literally means to trust nobody. Whoever and whatever gets trusted becomes an avenue for attack. This is also true for authenticated users who are conduits for data breaches in a vast majority of cyber attacks. True Zero Trust would require us to close this gap.
The zero-trust security model continuously authenticates users and sessions, using data such as identity, credentials, endpoint type, location, and more to do so. A zero-trust architecture ensures that users are legitimate and that they have the right privileges to use the systems they’re requesting access to. Organizations layer multiple systems to enable zero trust and create a defense-in-depth approach to cybersecurity.
However, cyber-attackers can overcome zero-trust security models. They can emulate legitimate users by stealing credentials and devices and gaining access to push multi-factor authentication codes. Stolen credentials are still used as the leading vector for cyberattacks. In addition, zero-trust architectures use more systems that must be continuously maintained, introducing the risk of gaps attackers can find and exploit.
To enable true zero-trust, organizations and systems should not trust any user– ever. Instead, organizations should consider deploying a data security platform that uses multiple privacy-preserving technologies, including encryption-in-use. Employees can still access data for use, but don’t gain access to clear-text files that can be easily exposed and exfiltrated.
Falsehood #4: With Ransomware, Resilience is the Ultimate Goal
Summary: Ransomware actors extort companies based on leverage and leverage comes in two forms: Data Theft and System Encryption. Resilience involves recovering from backup and this enables companies to avoid giving attackers leverage based on System Encryption. The Data Theft aspect remains unaddressed. To address Data Theft we need to look to advanced technologies such as encryption-in-use.
Ransomware is so pervasive that many organizations are giving up the fight and settling for resilience, or the ability to recover after attacks. Around 70 percent of businesses were victimized by ransomware in 2022, meaning that most have experienced stolen data and paralyzed IT systems. Most IT teams believe that they have two options. They can either back up and restore data after an attack or pay ransoms and hope for the best. Instead of resilience, organizations should seek to achieve immunity from attacks. When data is encrypted in use, attackers can’t access valuable cleartext data and thus have nothing they can steal and sell.
Increase Trust in Data Security by Overcoming Falsehoods
IT and security teams are overwhelmed by their growing responsibilities. They have more data to protect, users to enable, and systems to maintain. Yet, cyber-attacks are coming ever faster. The solution is not to keep layering more systems on already-complex architectures. Instead, IT and security teams can look for platforms that are multi-functional and bring both trust and truth to data security. A platform that uses encryption-in-use and other privacy-enhancing technologies free IT and security teams from data security falsehoods. In addition, it also protects organizations’ most valuable resource from misuse, while liberating it for use so that employees can improve business processes.
Widget not in any sidebars