According to IDC (via ZDNet), in 2019, businesses were projected to spend $103 billion on security-related software, hardware and services, and this figure is expected to reach nearly $134 billion by 2022. This has not prevented hackers from invading the IT ecosystem and accessing confidential data. Data breaches have only been increasing, and IDC (via CIO Dive) estimated that more than 1.5 billion people would have their private information exposed through data breaches by 2020. Enterprises have been relying on many “silver-bullet” solutions to mitigate their data security woes, but instead, I believe they have only managed to make data security complex and costly.
Why is cybersecurity be so complex? It need not be. All we are doing is controlling what data is accessible by whom (person) or what (application). Customers already provide identity (identity and access management/single sign-on) and the access control policies that dictate access to systems and data. So, the vast amount of security complexity arises only because many security tools cannot reliably enforce those access controls. For example, firewalls are supposed to keep bad network packets away from the network, antivirus tools is supposed to keep your computer inaccessible to malicious processes, browsers try to keep cookies inaccessible to websites that didn’t create them, and databases are supposed to be accessible to people with the right authorizations — but we know the software system is complex. One vulnerability in one software or one misconfiguration, and the whole security structure falls apart.
The 2020 Data Breach Investigation Report from Verizon points out that one of the best ways to limit the leakage of data is to control access to sensitive information. These controls may include maintaining an inventory of sensitive information, encrypting sensitive data and limiting access to authorized cloud providers. The report also points out that misconfiguration (such as missing access controls) is the key error variety in transportation industry breaches.
Recently, the popular social media platform Twitter faced a major breach in which it said that “hackers targeted about 130 accounts, tweeted from 45, accessed the inboxes of 36 and were able to download Twitter data from seven.” Hackers targeted a small number of employees who had access to account support tools through a “phone spear-phishing attack.” The Twitter breach is a perfect example of how cybercriminals target users to gain unauthorized access to the IT ecosystem.
Identity + Access Controls = Security
How do we simplify the process of securing data? As the CEO of a company that offers security solutions such as confidential computing technology, I believe we can start with a simple security idea of verifying identity and applying access control to data. Prevent cybercriminals from impersonating the identity of machines and users. Then, ensure no one can violate access controls for data, even when they have physical control and put malware on the system, and even when the OS is compromised. As simple as this sounds, it requires a fundamental shift in how we approach cybersecurity: from building network perimeters around data to assuming everything else is potentially compromised and securing the data itself.
Using Cryptography To Secure Data
The most effective way to secure data is to encrypt it and then only decrypt it when an authorized entity (person or app) requests access and is authorized to access it. Data moves between being at rest in storage, in transit across a network and in use by applications. The first step is to encrypt data at rest and in motion everywhere, which makes data security pervasive within the organization. If you do not encrypt your network traffic inside your “perimeter,” you aren’t fully protecting your data. If you encrypt your primary storage and then leave secondary storage unencrypted, you are not fully protecting data.
While data is often encrypted at rest and in transit, rarely is it encrypted while in use by applications. Any application or cybercriminal with access to the server can see Social Security numbers, credit card numbers and private healthcare data by looking at the memory of the server when the application is using it. A new technology called confidential computing makes it possible to encrypt data and applications while they are in use. Confidential computing uses hardware-based trusted execution environments (TEEs) called enclaves to isolate and secure the CPU and memory used by the code and data from potentially compromised software, operating systems or other VMs running on the same server.
With this dynamic form of data security, businesses have the freedom to accelerate their digital transformation, combine and analyze private data, and deliver secure applications. When we make this shift as an industry, private data will remain secure on-premises, in the public cloud and everywhere in between.
When it comes to implementing confidential computing technology, there are two distinct approaches: developing or rewriting applications to take advantage of confidential computing and converting existing applications to run in confidential computing environments (also called “lift and shift”). In the first case, developers should be trained on how to use the unique security functionality of secure enclaves and best practices — including terminating encrypted network traffic in the enclave, using attestation services, and proper access control policies. The second option is essentially a plug-and-play conversion of the application that allows it to run in confidential computing environments.
Cybersecurity leaders can start the journey toward a data-centric security program by identifying applications with sensitive data that could benefit most from confidential computing. Some of the most common implementations include public cloud applications or databases that contain personally identifiable information (PII), password or credential storage and management systems, and Internet of Things (IoT) scenarios in which devices at the edge are doing computation on sensitive data with no physical security. With the emergence of multiparty computation, AI and machine learning, companies may also be able to use confidential computing to solve the challenge of keeping private data and proprietary algorithms secure. This concept, also known as privacy-preserving analytics, can enable financial services, healthcare and retail to combine private data from multiple sources to extract insights that can improve clinical healthcare applications, support anti-money-laundering activities between multiple banks and target customers more effectively.