With COVID-19 mask mandates in effect, some people choose masks made of mesh—completely useless in preventing virus spread. But they get away with it, as regulations generally do not define what comprises an acceptable mask. They are fully compliant with the law, without protecting themselves or the people around them.
This reminds me of how too many people approach regulatory compliance: they follow a regulation, such as PCI DSS, and protect data at rest. Sure, this is easy to implement and lets them pass a PCI audit, but it is providing a false sense of security, just like wearing a mesh mask during a pandemic.
For starters, consider how today’s data breaches actually happen. When the regulations were written, the typical attack surface was losing a hard drive via a lost laptop or stolen/misplaced backup tapes. But those are old-school issues: attacks today are not physical. Instead, intrusions use software running on compromised machines to exfiltrate data, often sending it out slowly to reduce risk of detection. We’ve seen this pattern again and again in the last couple of years with a succession of mega data breaches: malware syphoning valuable data gleaned through application weaknesses. The obsolete container-level data protection approach is like a mesh facemask.
But what does a proper data security facemask look like?
Data protection is all about keeping high value, regulated, and personal data from reaching unintended users. And when you consider what the cyber attacker is after – your most valuable data assets – it is critical to start by protecting the data first.
The Micro Focus Voltage Security portfolio offers N95-quality tools to provide that facemask: SecureData for structured data and SmartCipher for unstructured data, to protect this data throughout its lifecycle.
Voltage SecureData focuses on format-preserving data protection through several technologies, including NIST-standard Format-Preserving Encryption (FPE). This means that encrypted data (dates, names, national IDs such as U.S. Social Security numbers, etc.) retains format, minimizing application impact. SecureData also offers Secure Stateless Tokenization for credit card data, as well as Format-Preserving Hash (FPH) to fully anonymize data while retaining format.
Voltage SmartCipher transparently encrypts any file, and attaches an access policy. End-users can continue to work as if the file is not encrypted, but the system stops unauthorized users from accessing it.
Applying these technologies offers more than just data protection at rest. With SmartCipher and SecureData the data is also protected while it is being transmitted and used. And since data must be used to be useful, this is critical: protecting it only while at rest is providing a mesh facemask. A data protection approach focusing on the data itself, rather than the container, provides data-centric security.
Another benefit is that when data does get decrypted, monitoring can show who is accessing it and from where, in almost real time. Most SIEM solutions monitor every endpoint and system in the environment, generating many events— “noise” that analysts must interpret to identify abnormalities that could indicate a breach. The events generated by SecureData and SmartCipher show who is accessing unprotected data, allowing focus on the meaningful events, providing deeper insight for identifying real risks.
Implementing these powerful technologies requires more effort than transparent, container-level data protection, but the increased security far outweighs that cost. And many customers have proven that a surprising number of applications actually do not need live data access at all. For example, it may seem obvious that a system generating credit card bills must decrypt the account number for every transaction: but with format-preserving data protection, it can do its collation using the encrypted number, perhaps decrypting the user’s name and address once. This “protected while in use” aspect further decreases attack surface, and since regulations such as Europe’s GDPR, Turkey’s KVKK, and California’s CCPA specify that if data is stolen but is encrypted, the incident is a not considered a breach, even some application-level attacks will thus be ultimately unsuccessful, since the data they steal will still be protected.
Where's your Sensitive Data?
The other part of a data protection project, of course, is identifying the data to protect, and Micro Focus offers tools for that too. Structured Data Manager and the File Analysis Suite can analyze and catalog data by type and sensitivity, and by databases or file shares, and help calculate potential breach impact. These tools can also help identify who has access to high value data and protect that data through SecureData and SmartCipher, further reducing risks of exposure. These tools also often find a surprising number of data stores holding sensitive information that is collected but never used, allowing improved security and compliance by simply deleting those fields.
Don’t be the one wearing a mesh facemask to fight COVID-19—implement a data-centric security approach and keep sensitive data from getting into the wrong hands!