The year 2011 was famously dubbed “The Year of the Hack.” Notable victims included Google, Internet security company RSA, international financial giant Citibank® and the FBI’s private-sector, homeland security-minded partner InfraGard. The attack on Sony’s PlayStation® network reportedly cost the company $170 million.
From then to now ─ just two years – 90 percent of all data in the world came into existence. And we’re just getting started.
We are on the verge, or over the edge, of a troubling precipice ─ the Hacker Disaster. Similar to the destructive forces of nature and man that we are all too familiar with yet far more insidious, the Hacker Disaster can inflict long-lasting personal turmoil, ruin lives and cost billions of dollars. Ubiquitous data generation via the Internet only exposes more business, government and personal assets to risk of compromise.
The SnapChat breach on New Year’s Eve is particularly troubling. Despite warnings that the site and its customers were vulnerable to attack, the social media company chose to believe it was impervious to compromise, certain that it was doing all it could to thwart hackers. New Year’s Day headlines told a different story, and personal information about SnapChat’s customers was published for all to see … and exploit.
The Unseen Enemy
Hacker motivations run the gamut: purely criminal intent, self-aggrandizement, exposing weak security, mass mischief, or retribution. For good or bad, national security is cited as justification, as well. With so many potential origins of attack, defending data is an onerous but essential chore that requires constant vigilance.
An entire industry has grown up around the need for data defense, because an entire industry exists to conquer it. Both are hard at work developing weapons. Hackers, however, really have nothing to defend. They are always on the offensive, covering their tracks, conjuring new strategies, moving at will from target to target and scattering when threatened.
The element of surprise is on their side. That’s a hard enemy to neutralize.
With such a formidable and evasive enemy, the questions inevitably arise: what are my best defenses and where is my data most safe? Those questions need to be asked and answered with unsettling frequency. More than ever, cloud data storage is included in discussions about data security strategy and implementation.
Insource or Outsource
Storing non-critical data is one of its most appealing, cost-effective uses of cloud technologies. One of the perceived benefits is that the IT department is then left with only its most critical data to protect. Assuming that is the case, then does IT:
- Know which of its data is actually critical, who has access to it and where it is stored within the infrastructure?
- Have an individual directly responsible for enforcing data security policies and procedures?
- Have its security measures and website professionally audited multiple times per year?
- Have strict password and access control policies that are rigorously enforced?
SnapChat would have probably answered “yes” to these questions, as would have Target® (which suffered a major breach the end of 2013) and Skype™ (which has the dubious distinction of being the first major hack of 2014). The presumption of policy compliance often leads to policy complacency. Check the box and move on to tasks with immediate priority.
Increasingly, the viability of the cloud for storing critical data is becoming better appreciated. The experts at Forrester Research, for example, advise that the gap between prospective cloud users’ requirements for security and a cloud services provider’s (CSP) ability to provide it is closing, going as far as saying that with the right approach data security in the cloud can be more formidable.
There are legitimate concerns about cloud security. Data stored in the cloud typically resides in a multi-tenant environment, and shares virtualized server space with data from other customers. An inherent risk of multi-tenancy is the potential failure of isolation mechanisms that separate memory, storage and routing between tenants.
For a number of CSPs, however, data security is a core competence and a daily focus. Serving the security demands of multiple customers keeps them on top of their game in terms of internal and third-party auditing, 7/24 monitoring, new products and technologies, dedicated staffing and training and industry and agency regulatory compliance. They have data encryption, advanced key management, process-based access controls and other sophisticated strategies for securing data.
Incurable, but Treatable
Risk to data security is constant. However, the stakes are getting higher and higher. Business, government and personal lives are inextricably tied to the Internet. The flow of information is forever increasing and, with it, the opportunity for more – and more serious – hacker disasters.
The best defense is to put forth a best effort that’s a continual process, not a once-a-year obligation.