Building data security resilienceInsight
By Faheem Suban.
We had the pleasure of hosting our third Foresight event of 2021 with “Reimagine, Rethink and Rebuild” as the theme. Topics included considering changes in wellness and activity levels since Covid, the possible impacts of Long Covid and we also explored a refocus on data security in order to build data resilience.
When building resilience in data security, one must bear in mind that complacency is the enemy. Complacency has been described as “the kiss of death”, and this description remains apt for reflecting on data security practices given rapid changes in technology which require data security practices to improve along with these changes . Simple examples of complacency with regards to data security include using legacy programmes or technologies and languages for which support no longer exists. Some business practices are now focusing on the phrase that “data is the new oil”, resulting in data ingestion by any and all organisations which is in frenzy and is no longer limited to big tech companies such as Google. With this ongoing frenzy, some organisations collect data for which they may not yet even have a use for but we can safely assume that a breach in this data would cause damage to an organisation even if only considering its reputation. In order to be more resilient, we should bring as much enthusiasm to securing data as we do in trying to extract monetary value from data.
There are four key ways in which we build data security resilience and which could be applied to any organisation, namely:
- Building a culture of data security;
- Remaining aware that we can only collect data which we can afford to protect;
- Saying goodbye to passwords; and
- Building a protected central identity which allows subsequent access to underlying services to also be protected.
Establishing a culture of data security
In an ideal world, organisations would share vital information on data breaches. This would allow other organisations to learn from potential data vulnerabilities which could be exploited. In the absence of this culture of sharing vital information, the world we live in today has become a hacker’s paradise. Hackers move from one company to another, exploiting the same vulnerabilities. While sharing such information may be a utopia and is unfeasible realistically, we can focus instead on establishing an internal culture of data security spanning holistically from senior management to the most junior staff. All staff should be trained around data security protocols such that each person in the company understands the importance of data security and is able to call into question any potentially weak data security protocols which require improvement.
Remaining aware that we can only collect data which we can afford to protect
While this tenet is a bit of a cliché, it exists for a good reason. Resilient data security costs money, with the overall spend on cybersecurity reaching upwards of 43 billion US dollars in 2020. The fact that data security can be expensive, often leads to internal debate and consideration of trade-offs. For example, a company’s sales team may exhibit a reluctance to spend money on data security because they operate in an environment where competitors spend very little or even nothing on data security, making their service or product offering more competitive from a price perspective. The unfortunate reality is that data security is intangible, meaning it is difficult to quantify its value, as well as compare value between companies.
Insight has invested in data security and achieved data security certifications to evidence this. However, we also realise that another aspect of the cost of data security which is becoming increasingly more important, is the associated indirect costs of data security. Data security risk is no longer confined to our own internal IT infrastructure. It has become important to choose business partners and service providers carefully, ensuring that their emphasis on data security reflects our own culture.
Say goodbye to passwords
No data security discussion is complete without talking about passwords. Password recycling has become a very common occurrence nowadays. The human memory tends to be quite fallible, so we resort to using passwords that are easy to recall, including personal information such as the name of a loved one, date of birth, wedding date and so on. In addition, we recycle these passwords across all digital services that we consume. From a data security perspective, this is distressing, as hackers with your personal information (which they may source from publicly available social media accounts) can guess your password with relative ease and infiltrate a particular account. Alternatively, if a data breach occurs within one of the many digital services we use, your username and password could become available to hackers, who could then compromise all your other accounts.
The natural question that follows from here is “how do we prevent this”? One solution is the use of a password manager. These services can generate very long and secure passwords for all your digital services and store these passwords in a central database. They require you to remember only a “master password” that can be used to access all other passwords.
A second solution is the use of biometrics, which is included in most newer devices purchased today. This includes features such as fingerprint scanners and facial recognition, allowing for more secure access control.
A third solution is Two-Factor Authentication (2FA), often used by online banking services to verify transactions for example. An important tip here is to use app-based 2FA (e.g. Google Authenticator) instead of one-time password 2FA (e.g. receiving an SMS with a one-time password). The reason for this is that phone cloning has recently become a trend among cyber criminals. If these criminals can clone your phone, they will have complete access to your one-time passwords, but will not necessarily have access to 2FA apps, making apps a more secure alternative.
Building a protected central identity which allows subsequent access to underlying services to be protected
The last principle in building data security resilience is building a protected central identity, however most organisations do not tend to have centralised identities. To understand this lack of central identity, consider the use of monolithic applications which are designed to behave as a single unit. Monolithic applications have their own data, business rules and user interface. In relation to data security, they importantly have their own set of usernames and credentials. For example, a single company may have a CRM tool for customer relations, an administrative system to administer clients, a financial system for finances, etc. This brings us back to the password recycling problem and all the data security risks that come along with it.
Monolithic applications also present further problems:
- They are typically high in capital expenditure due to high purchase prices.
- One piece of software cannot cater to all business needs – for smaller businesses who do not have the budget to purchase multiple pieces of software, this may lead to some business functions being forced to fit the technology as opposed to the other way around.
- These applications become outdated and unsecure over time, so costly annual maintenance fees need to be paid, further increasing expenditure.
Technology improvement over time has allowed for a central identity through microservices such as Microsoft Azure or Amazon Web Services instead of monolithic applications. In contrast to monolithic applications, microservices provide an organisation a centralised identity provider, meaning that users sign into a single workspace to access all necessary applications as opposed to signing into the same single workspace, but then signing into each individual application separately. These developments also introduced a new procurement model. As an example, consider Microsoft Office 365 where companies pay a monthly licensing fee for each employee as they join the organisation. As employees leave, the license can be decommissioned, and the company will stop paying for that particular user.
Microservices have a host of other advantages:
- The per user per month pricing model means lower capital expenditure with scalability.
- The flexibility of the pricing model means that companies no longer need to rely on a single solution for all business needs, instead sourcing the right tool for the right job at the right time.
- The development of data virtualisation effectively separated the application from the data itself. This separation provides data security benefits in addition there is flexibility in how the data can be used and accessed across different areas within a business.
- Businesses can now create a central approach to data security for the organisation as well as service providers who will be required to follow the security protocols of the central identity. This maintains cost-effectiveness, while also maintaining the business’s governance and security protocols.
In practice, security protocols are maintained using data security standards in centralised identity such as SAML and OpenID. These data security standards require their own discussion to be more easily understood, and organisations should be encouraged to become more familiar with these concepts in order to build their culture of data security.
In conclusion, Insight uses the four principles outlined above to ensure resilient data security. We remain aware that even when we feel our security protocols are strongly fortified, we need to remind ourselves to avoid complacency and search for continual improvement.
For more information and/or to schedule a discussion, contact: