As the world continues to embrace newer and better technologies like virtualization, SDN, or pure Cloud-based SaaS, coordinate values in all the 4V dimensions (Velocity, Variety, Volume, and Veracity) are growing exponentially. It means the threats and vulnerabilities continue to increase, and hence, safeguarding guidelines and standards get bigger and stronger. Stricter regulations like GDPR, CCPA, and India’s Personal Data Protection Act are evolving. Still, companies generally see them as a checklist item rather than ensuring that the data is completely secure. However, the EU’s GDPR has transformed how data is stored, accessed, and made available to stakeholders.
By Mahesh Kumar Gupta, Product Manager, Online at RMIT University, Australia
The world has been witnessing cases of massive data breaches at well-known global companies, making the headlines. Interestingly, most of these cases are not “attacks” but pure “theft.” In the world of security, we can’t assume a perfect world assuming any data you keep in the open will be left secure and sound. Physical lockers and safes have existed for centuries to protect valuables. One of the most critical reputation criteria for any bank is the availability and ability to secure valuables in lockers. Similarly, it is the data custodian’s responsibility to ensure that data is kept safe, especially when it is your customers’ data.
Data storage gets more vulnerable
Now let’s look at an example of how the new technologies have inadvertently made data storage more vulnerable. Most of the data breaches we just talked about were due to data being stolen from AWS S3 Objects. The “Simple Storage Service” (S3) of AWS has the concept of buckets and objects, very much like a traditional root folder and the leaf nodes. However, interestingly, a bucket can be marked “private,” yet one or more objects can be labeled “public.” And this can be on purpose, for example, keeping some marketing material in a public object for ease of access by any outsider. Here the issue is not about the integrity of the individuals managing these objects. Still, it is about the changing nature of responsibilities with the evolution of newer and newer technologies.
We all are familiar with the security practices of the last decade. As per the security book definitions, these can be categorized into the following areas:
1. Data hygiene: Keeping data free of any malware for both data at rest and data in motion.
2. Encrypt the data at all times to ensure integrity: Most of the IaaS vendors provide Key Management capabilities for both client-side and server-side encryption.
3. Robust Data Loss Prevention capabilities: In addition to basic templates around social security numbers, credit card numbers, behavioral analytics is becoming increasingly important in controlling access and preserving data.
4. Identity and Access Management: Enhanced RBAC, contextual assessment, and run-time controls for securing data are gaining popularity. For on-prem data centers, a quarantine would generally mean a file being taken out from the original location to a quarantine location. This term has sadly become very popular in these tough.
Need for a Data Quarantine
We are in COVID times. So, the analogy here is institutional quarantine. But in the case of the shared responsibility model, where IaaS vendors provide the infrastructure, a quarantine would generally mean access-based quarantine. The data doesn’t move from its own bucket/storage, but is accessed by a user, based on specific rules, is denied. It’s very much like home quarantine with almost no access to the patient’s room in the house.
With the SaaS model, and the need to comply with standards like GDPR and CCPA, there is a need to enhance transactional efficiency. Hence, the API-driven approach is becoming very popular. Earlier, APIs were considered an additional optional tool, while now, this has become a mainline business. In the past two to three years, we have seen many startups foraying in this area with humongous seed, angel, and VC funding. Mobile is a mini-computer, and an increasing number of financial transactions through mobile led to a surge in companies providing this value in a simple form. And thanks to COVID-19, I was forced by circumstances to install and activate some popular wallets to get my share of daily needs. And then, in the virtual yet fully connected world, audio-video is part and parcel of communication. All existing and new platforms and apps enable the need to communicate with users by dialing the phones, be it with a virtual number or a PSTN number. So, we saw many API-based startups in Telephony API becoming popular.
Now, let’s look at all these aspects together from a data security point of view. Related questions will be:
- How to comply with the standards?
- How to efficiently store data?
- How do you quickly process data?
- How to make the data available to qualified stakeholders?
All this with the underlying, non-negotiable goal of data security and privacy.
API-driven Privacy
Though I don’t use Apple Pay, it was interesting to learn about the way it operates1. The highlight here is not NFC, though it is a superior technology analogous to Bluetooth. Just wave the card, and the connection is set up with the merchant’s terminal. But the innovation is “tokenization.” No credit card data is stored on the iPhone or Apple’s servers. And no credit card data is ever transmitted to or stored on a merchant’s servers, not even in encrypted form.
Wonderful! Isn’t it? From a high-level view, the actual number is replaced with an identifier that’s of no value outside this system, even if stolen.
That’s the idea behind the modern way of protecting data — API driven privacy. It was all about signatures, policies, controls, contextual examination, integrity, access, and permissions on the data, while the new technology is about changing the data itself, at source, in a way that means nothing to the stakeholders outside the system.
A Token-based approach
OK, so the data is tokenized but then if a stakeholder needs a report, how would it work? Modern technology splits up data into various tokens and leverages the advancements in fields of encryption and others. For example, homomorphic encryption is an advancement, which encrypts the tokens, yet provides the ability to process the data through some basic operations. The result can then be decrypted, which is the same as if the original data was leveraged. The use case analysis has been the key to this ecosystem. End-users are not looking for real data, but they are looking for processed data, mainly reports. This way of storing and working with data leads to a win-win situation by protecting privacy and generating the stakeholders’ desired output.
The cons of this approach are limited. Technically, splitting the data, generating tokens, storing them separately, and then querying with many joins, is a process that can introduce a long latency. But this is being addressed by increasing computer speed and distributed computing. The rate of increase in computing speeds is going to be higher than the rate of data growth. Quantum computers may pose a risk in the future, but post-quantum cryptography advances seem promising, and the risk is small.
Stakeholders in the BFSI vertical are much advanced compared to others. Almost every transaction is electronic, whether through the internet or intranet. Hence, complying with PCI DSS is much easier with the modern approach to handling data privacy.
Compliance in health care
However, this is still a challenge in healthcare. The COVID outbreak has led to a sudden spike in getting hold of health data. CCPA allows citizens to ask for their health data; companies want to know about their employees’ health to help them and protect others; hospitals need to know the details for obvious reasons, and insurance companies have a long queue for claims. Two key issues still need to be addressed:
- Digitization of health records: Good progress has been made by multiple players in this space, but it is still a daunting task.
2. Interoperability: Stakeholders of the healthcare ecosystem aren’t well connected yet. If investigated on priority, a full privacy complaint health care system can exist, which can help effectively, not only in treating reactively but also to analyze and predict disruptions pro-actively, powered by AI and analytics.
If a person falls sick, there is a cost for the treatment. It is an expense in the global GDP regardless of whether the individual paid for it, the insurance agency did, or someone else did. A healthier world population automatically increases the global GDP and boosts the economy of every county.
So, we see that compliance regulations help the end-user and become the catalyst for innovation, which has social benefits and business profits!
About the Author
Mahesh Kumar Gupta has been working in the security space since 2011. He is a CISSP and has almost 15 years’ experience in Product Management. Initially, he managed the disaster and system recovery global product portfolio at Symantec. From 2013 onwards, he was handling all storage security products. In his last role as the Head of Product Management at Broadcom, he was also responsible for the entire encryption products portfolio. Before his MBA, he was a core developer at IBM Software Labs for Tivoli Security Directory Server. An alumnus of IIM, Ahmedabad, and BITS Pilani, he has also worked at Adobe and IBM.
DISCLAIMER
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
