Would You Steal Data That Cannot Be Used?

By Ameesh Divatia

From stolen emails to hacked credit reports to acts of industrial espionage we never hear about and now processor vulnerabilities, data breaches can cripple organizations, compromise customers, invite regulation and destroy systemic confidence.

According to Gartner, the industry spent roughly $86 billion on cybersecurity in 2017, and yet there were still plenty of headline-making breaches.

It seems like an endless cycle: Organizations keep building walls higher to keep intruders out, but intruders keep finding ways in, often by exploiting the weakest link in any security regime: user behavior.

But what if you didn’t have to care about breaches to your security perimeter anymore? What if you could leave your organization’s most sensitive information in plain sight, even on the public cloud, in complete confidence?

Hackers could hack, phishers could phish, but you could sleep soundly knowing no one could exploit your business or your customers.

In 2018, that vision is closer than ever to becoming a reality. Here’s why.

Encryption is key: According to the site breachlevelindex.com, only 4% of the nearly 6 billion data records stolen since 2013 were encrypted.

So why the gap, considering the effectiveness of the solution?

Most organizations don’t encrypt their data because of the performance tradeoffs. If you want live, real-time data and instantly-responsive applications, the overhead of decrypting encoded data is typically too high. Users experience lag and latency that can defeat the business value companies expect from their IT investments.

There are also complexities around key custody and management. If you lose the key, you lose access to your own data. In that case, the data security “cure” may be worse than the “disease” of data theft it aims to prevent.

Some companies use the limited protection of encrypting the media on which the data resides. That meets certain compliance standards but leaves a backdoor swinging wide open in the breeze. Hackers can access data and keys as it is being processed, because it is processed in the database layer in the clear.

Breaking the bottleneck: It’s reasonable to assume that more companies would use data encryption if these baseline issues of implementation could be solved, since encryption avoids so many of the costs and vulnerabilities of perimeter security. And that’s why the coming year is so exciting. Solutions are at hand.

On the performance front, we can now use the computational power of the cloud to reduce the latency of ironclad encryption to acceptable levels, roughly equivalent to using the (inferior) built-in security protocols that come with off-the-shelf database products. Because we are no longer limited to the processing power of the client device, authorized applications and users can operate on encrypted data with the same fluidity and responsiveness they are accustomed to. This also seals up the vulnerability of hackers using memory scrapers hidden on compromised servers. Everything is fully encrypted end-to-end, even when it is being accessed by an authorized business user or administrator.

Additionally, key management can now be embedded into authorized applications under programmatic control, eliminating the risks of theft or loss if an administrator account is compromised. The only way for an attacker to thwart this level of security would be to gain control of the entire cloud, in which case we’d all probably have much, much bigger problems.

A world without walls: The new security model opens up a wider range of choices for line of business and strategic IT decision-makers free from limitations of security considerations. Organizations can deploy advanced end-user analytics and visualization tools such as Microsoft PowerBI or Tableau, which currently don’t include native support for encrypted data, because security and encryption are managed by a stand-alone, application-agnostic cloud-based solution. Enterprises can move more of their mission-critical workloads to public and hybrid cloud, taking advantage of the superior economics and scalability without having to compromise on security.

Finally, encryption reduces the enormous costs that come with exposure to data loss. Data is fundamentally secure even when perimeter defenses are breached. Organizations won’t face loss of proprietary data that could jeopardize operations or competitiveness; highly sensitive customer data like health records is secured to the standards of the most stringent regulations. Organizations won’t even face damage to their reputation due to a data breach, because companies are not required to disclose theft of encrypted data.

Perhaps the biggest opportunity for disruption is that encryption will destroy the incentives for thieves and hackers by making their conquests worthless.

Why go to the trouble of stealing data you can’t use?

Sooner or later, we will reach a tipping point of “herd immunity” where most data predators have gone extinct and the systemic costs of securing the Internet will drop exponentially.

The first step on that journey begins in 2018. Will that be the year when new approaches finally result in the number of breaches leveling off?

Original article can be found here.