How can it be that marquee enterprises like Capital One, Marriott, Facebook, Yahoo, HBO, Equifax, Uber and countless others continue to lose sensitive information in massive data breaches?
Related: Breakdown of Capital One breach
The simple answer is that any organization that sustains a massive data breach clearly did not do quite enough to protect the data itself.
It’s not for lack of trying. Tech consultancy IDC recently estimated that global spending on security-related hardware, software and services is growing at a compound annual growth rate of 9.2% a year and is on a curve to reach $133.8 billion by 2022.
It’s not for lack of best practices frameworks. There are plenty of good ones by government regulators, such as those compiled and distributed for free by NIST; and there’s no end of rules and guidance issued by a wide variety of industry standards bodies.
And it’s certainly not for lack of technology; just visit the vast exhibitors’ floor at RSA Conference or Black Hat USA. I attended both again this year, and at the latter I had the chance to meet with Paul Russert, vice president of product and compliance with a Rancho Santa Margarita, Calif.-based start-up, SecurityFirst.
We discussed how SecurityFirst set out three years ago to begin commercially distributing something called cryptographic splitting technology. As I came to understand it, this new approach leverages multi-factor secret sharing algorithms previously only used by government entities.
Cryptographic splitting appears to be a very direct, and much more robust, approach to protecting the data itself, in a way that makes good sense in the current environment. For a full drill down, give a listen to the accompanying podcast. Here are key takeaways:
Protect the data itself. Sounds simple enough. Yet in the age of Big Data and digital transformation many organizations still don’t do this very well. Legacy perimeter defenses are rapidly losing efficacy as the landscape shifts to cloud computing and the Internet of Things.
Cryptographic splitting has to do with encrypting data, splitting this encrypted data into smaller, random chunks, and then distributing those smaller chunks to several storage locations. At each storage location, yet another layer of encryption is added.
This has a number of advantages, Russert told me. It’s well suited to hybrid networks; one or more storage locations can be in different cloud services, and another could be on the company premises. Access policies can be granularly set and access monitoring can be continual.
If a hacker successfully breaches one storage location, the data stolen would be unintelligible, since full decryption requires keys stored at one other location. Likewise, if one storage location goes off line for any reason, say a ransomware attack or an earthquake, the full data set can be recovered from the other locations.
Cryptographic splitting is possible today because processing speed, cloud storage and data analytics have steadily advanced to make it so. Russet advised me to think about what SecurityFirst does as “intelligence decryption.”
“The data is automatically encrypted, and so basically it’s really about controlling who can see that data decrypted, and then auditing to make sure the right people are accessing the data,” Russert says. “And it’s also about really making sure that any unauthorized access is noticed.”
Initial development of SecurityFirst’s DataKeep product line began several years ago and was centered around developing, testing and gaining patents for algorithms focused on cryptographic splitting. Information gets effectively split, double encrypted and stored across multiple servers. And certain pieces need to be retrieved from at least two of the storage servers to reconstitute the data whole.
“So you could actually lose a piece and it doesn’t matter,” Russert told me. “DataKeep itself works off of policies that say who can or cannot access data in the decrypted state. It monitors and keeps track of all of that.”
Capital One allegedly got hacked by — and lost personal data for 100 million bank patrons to — a laid off Amazon IT staffer who exploited a misconfigured firewall to steal the data from where it sat on an Amazon Web Services server rented by the bank.
Equifax lost data for 148 million citizens. Hackers leveraged a vulnerability in something called Apache Struts, an open-source application framework that supports the credit bureau’s web portal, and merrily exfiltrated the data, between May 13 and July 30, 2017.
Cryptographic splitting, it would seem, holds the potential to prevent these types of hacks going forward. It seemed to me, also, that it’s the type of advanced data visibility tool that should help enterprises not just meet, but actually supersede, stricter data privacy regs like Europe’s General Data Protection Regulation, New York State’s Department of Financial Services Cybersecurity Regulations and California’s new Consumer Privacy Act.
I asked Russert about this; here’s what he told me:
“If you look at the compliance requirements, there’s a whole area having to do with the security of processing data. Who can see that data for the steps that the data needs to be used in processing? Not everybody needs to see all of the data . . . We focus on the roles and who can see that data and what they can see. And we keep the data encrypted all time. And then we audit the data to make sure that it’s being used in the right way.
“So from a compliance standpoint, if you actually split that data, then you’re even adding an extra level of security. If somebody got into one single server, got into that storage and only got a piece of that data, it would be absolutely worthless.”
Protecting the data itself is logical and smart. It bakes security in and at the deepest level. Even better, it’s an approach that compels companies to make more considered choices about collecting and storing personal data indiscriminately.
Could cryptographic splitting put us on a path where control of private information reverts back primarily into the possession of the individual? One can only hope. Talk more soon.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/new-tech-how-cryptographic-splitting-bakes-in-security-at-a-protect-the-data-itself-level/