Data security is an old cat-and-mouse problem that received heightened public attention after widely publicized breaches that affected millions of consumers. And, of course, any entity entrusted with personal data must have due diligence processes in place. But companies must also safeguard their trade secrets, design specifications, and methods, and other proprietary and confidential information — their “crown jewel” data.
How do you keep your data secure, both at rest and in transit? How do you make sure data is readily accessible to everyone in the company who is authorized to see and use it?
The Black Market for Big Data
Criminal organizations have been able to penetrate data systems because older security measures like passwords and MD5 hash algorithms have become very easy to crack with services like Amazon Web Services; a crack can cost under a dollar and take less than a day. Legal, commercial solutions are also becoming commonplace. Designed to be used as penetration testing tools, they can easily be used against you.
It seems we constantly hear about a new data breach endangering users’ personal information, such as Yahoo’s announcement in December 2016 that more than one billion user accounts were compromised. Breaches cost companies millions of dollars, not including the intangible losses incurred when private data gets sold to the highest bidder.
Because the markets for both personal and proprietary commercial data are brisk, criminals and hackers will continue to target critical corporate data. A secure data access system must be strong enough to defeat most attacks, and smart enough to limit the access of any outsiders who do manage to penetrate it.
Essential elements for secure data access
A secure data access strategy requires protection for data being transmitted (“on the wire”) and stored. Because data on the wire is viewed as most vulnerable, there are multiple technologies to secure it. More recently, however, numerous security breaches of corporate data at rest have elevated the role of protecting stored data. Industry experts recommend that organizations employ both kinds of protection.
There are three essential elements for data security:
- Data itself – a data access solution itself is a measure of protection for the enterprise. Knowing where data is at all times means there’s less risk of losing track of it.
- Access Control – role-based access control regulates the access of users to information based on activities they perform in a system, assigns them a profile that defines their role in an organization, and gives that role a set of permissions that controls their access to data.
- Encryption & Authentication – a secure data access platform should enable confidentiality through a mature hierarchical authentication and encryption framework, preventing multiple classes of security threats and protecting data integrity.
Why up-to-date security at all levels is crucial
A secure data access platform should extend all the way to the confidentiality level, except in cases where there is a good reason to do otherwise. The main algorithms that protect data today are known as cryptographic hash functions. They perform digital operations on data to compute a “hash”—a digital fingerprint—for that data.
By comparing the computed hash to a known and expected hash value, one can determine the data’s integrity. These hash functions are considered to be practically impossible to “invert” (meaning to recreate the original data from its hash value.) Criminals have repeatedly and spectacularly proved otherwise.
The most popular hash algorithm from a few years ago, MD5, is so fragile it can be broken for cents and in hours using free tools. SHA-1, the once suggested and much more robust alternative, was originally predicted to cost $700,000 to crack by 2015. Low-cost cloud computing server instances have decreased this value to $75,000-$120,000. This is well within the budget of well-funded individual criminals. When LinkedIn was hacked in 2012, their passwords were hashed only with SHA-1, resulting in 184 million passwords posted online.
Thus, a secure data access strategy requires support for the stronger SHA-2 standard, a set of cryptographic hash functions designed by the US National Security Agency. As of January 1, 2017, SHA-1 is no longer supported by the most popular web browsers, so SHA-2 is essential.
Takeaway
Effective security is essential in today’s connected and competitive world and requires a multi-layered approach. A data access solution itself is the first layer of protection for the enterprise because losing knowledge of where the data resides is essentially the same as losing the data itself. At the second layer, role-based access control lets you specify who should be able to see and modify data. Finally, you need encryption both on the wire and at rest to make sure your data access platform isn’t putting crown-jewel data sets at risk.
