Micro Focus Warns on the Risk of Incomplete Data Protection: A Wake Up Call Following Recent Mega-Breaches
Once again we are witnessing a mega data breach, this time affecting two of three adults in the United States, with highly prized personal data and credit history exposed to criminal actors, putting consumers at risk of identity theft. This follows similar breaches in Europe in large financial services providers, and is an on-going battle for all enterprises.
Breaches like this are avoidable through neutralizing data – advanced data-centric security models are embraced by the world’s leading organizations to get ahead if these risks. With the right pervasive application-level security strategy, data can stay encrypted and rendered neutralized in use in, at rest, and in motion from the instant of capture to the point of destruction. If it’s compromised, the attackers get nothing, and the fall-out is avoided. For most PII data like SSN, Credit card, DOB, Name, or Banking details there should be zero need to store this as high risk live data – ever, at global scale. Under regulations like PCI, HIPAA and GDPR, these techniques can help substantially blunt compliance costs. Beyond simpler compliance, the world’s top brands are already way ahead in adopting this strategy as a combined risk reducer enabler of deeper data insights without the burden live data carries with it. If you want to grow and adapt today against your competitors, data has to be open for business – without risk.
Data is the currency of growth for both enterprises and criminals alike, attacks comprising of personal data that can be monetized for fraud and identity theft are only going to increase, damaging company value and risking reputation. With the wide data ecosystems that your sensitive data flows within, it is critical for organizations to look for holistic end-to-end, comprehensive data-centric solutions to mitigate threats and avoid-limited approaches that may have unknown security value, only secure data at rest on a set of servers or devices or may themselves be exploitable from lack of validation, limited securing data over only a fraction of its entire lifecycle, in and outside company boundaries.
To achieve a “breach neutralized” approach, today’s businesses must secure data:
- Inside the enterprise in applications and transaction processing – in storage, in use and in motion.
- As its ingested, used and stored in analytic platforms and big data
- In motion from the enterprise edge, in streams feeding the data lake,
- Captured from consumer facing web and mobile applications into enterprise applications, and;
- With persistent data-level protection across enterprise any application, legacy IT platform, new micro service, and hybrid IT workloads and cloud bursts.
Best-in-class data security platforms enable data-centric security from the edge to the core and beyond for sensitive data elements – keeping data safe using methods that are not only proven in industry, but validated and proven by standards groups, such as the National Institute of Standards and Technology (NIST).
There’s no value, and indeed a false sense of security, in implementing proprietary solutions that have no validation of methods or implementation. Recently, we’ve seen the Federal Trade Commission (FTC) come down hard on vendors or enterprises making claims of security that don’t stand up to scrutiny, with fines and public notification. The FTC, rightly so, is putting the industry on notice to beware of the consequences of cutting corners to the vital security of their customers’ data and privacy.
In today’s fast moving DevOps-centric worlds where developers don’t have time to think about risk, data-security and privacy controls should be able to be quickly “built-in” to applications and secure the data itself wherever it may go next to meet todays “Privacy By Design” best practice, demanded by new regulations like The General Data Protection Regulation (GDPR) and recent cyber-risk laws enacted throughout the world. Consistent data security should be centrally managed so developers don’t have to worry about policy and can get on with advancing the business with innovation and insight.
Micro Focus’s recommendation for enterprises concerned about their data in light of recent large breaches are:
- Overall: Take a unified, uncompromising platform approach to data-level security across enterprise applications, mainframe systems, analytics, and cloud workloads to avoid the need to expose live data, and use centrally enforced policy and controls with strong identity management.
- For securing data capture for internet facing applications: Use end-to-end encryption to protect the entire data lifecycle with technology that includes as page-integrated encryption to close security gaps in web servers capturing data – this approach at the source avoids live data passing then into low trust environments that can be attacked and compromised.
- For mobile application capturing sensitive data: Use end-to-end encryption from mobile apps capturing consumer data and consumer on-boarding processes to avoid live data exposed in mobile apps and data flows to processing hosts.
- For analytics and big data: De-identify and pseudonymize data to avoid live data needing to be exposed except for absolutely minimum uses that are monitored and policy controlled.
- For neutralizing data from breach risk in Hybrid IT: Choose pseudonymization and encryption methods that are proven, standards accepted, validated and also retain data meaning so business and analytic science can still be processed yet without attack risk – avoid the need to decrypt data!
- Turn the tables on the attackers: Take a modern new view that data elements should be secured by default using contextual approaches, such as what the more advanced implementations of format-preserving encryption (FPE) enable, still allowing data to be used when secured vs the older approach of locking down data in silos and rendering unusable, requiring access to then be a complicated process that exposes data in the clear unnecessarily.
What can businesses do when working with partners in sharing personal data for legitimate purposes?
- Determine the risk to data outside your control: Ask how data is protected in-use , in-motion and in-storage – is it consistent to the data lifecycle, as noted above
- Ask for proof: Ask if security methods are validated to accepted standards such as NIST with Federal Information Processing Standards (FIPS) certification
- Avoid risky proprietary methods that might have unknowns or back doors – avoid “proprietary” which could be a red flag to regulators such as the FTC stating “Rather than reinventing the encryption wheel, the wiser approach is to employ industry-tested methods that reflect the collective wisdom of experts in the field.”
- Ask if the protection is end to end. If it’s just in storage or a similar silo, it likely means incomplete protection of your data when gaps in protection are eventually exposed.
What can the 140 million consumers affected do to reduce their personal risk of this data breach?
- Consider a credit freeze to reduce the risk of your data being abused for fraudulent credit applications
- While credit monitoring services may be appealing, keep in mind these also require submission and consent to access more personal data such as that just breached.
- Use your financial services providers solutions to monitor your finances, especially those tools with strong security, and
- Watch out for suspicious looking emails you’re not expecting that have a call to action such as clicking a link, calls from vendors offering unusual offers requiring your sensitive personal data, and never give up your personal data to anyone you don’t know.
- Avoid using the same password across sites, and even better, use a secure tool to generate random passwords that aren’t easy to guess
While there’s no magic bullet that can completely eliminate all risks, companies and individuals can certainly take the right steps to mitigate the consequences of a breach, and the effects after by properly safeguarding their data. As always, we’re here to help—please contact Micro Focus for a conversation about your individual situation and needs.
About the Author:
Mark Bower is Global Director of Product Management for Micro Focus. He will be delivering the Data Security Keynote session at Protect 2017, as well as presenting on “Mapping SecureData to GDPR requirements: Best-practices on practical use cases” and panel moderator for “GDPR: The opportunity within the challenge.”