Security has been more granular over the last two decades, moving deeper into the stack with each new generation. This trend began with hardware and has progressed via the network, servers, containers, and finally to the code itself.
The emphasis should be on the information. First.
Data, particularly private data, is the new frontier for security experts. Whenever a company’s data is compromised or disclosed, it is considered to be sensitive. These types of information include personally identifiable information, financial information, protected health information, and personally identifiable information about other people. The consequences of a data breach are quite serious. Fines levied by the General Data Protection Regulation (€10m or 2% of yearly income) and the Federal Trade Commission (e.g., $150m against Twitter) are concrete examples. Then there are the hidden expenses, including the agony of reorganising, the faith of customers (Chegg compromised the data of 40 million users), and more.
The current state of data security technology relies too much on ad hoc, piecemeal solutions. Consider the case of id management. The purpose of the system is identity verification. In practise, these methods have built-in weak spots. Once a user’s identity has been verified through identity management, they have unrestricted access to critical data.
Suppose you put all of your trust on data; what would happen to your security?
Data is one of the most valuable things a company may have, yet it is often the victim of large data breaches and leaks. Data-first security is the next logical step in the development of cyber defences.
The Information Is Distinctly Not the Same
Let’s start out by recognising that information isn’t isolated. You know that data is intimately tied to numerous systems if you’ve had trouble understanding and complying with GDPR. Information is handled by systems, saved in storage, duplicated, updated, and moved around to other systems. The potential for danger grows with each passing stage. This is due to the fact that the systems involved in these procedures are weak, and not because the data itself is insecure.
The idea itself is straightforward. Let’s stop treating each system in isolation, without understanding the information they transport or the connections between them. The thread should be pulled backwards from the data. Is there a risk of leaking private information with talkative loggers? Are unapproved parties given access to sensitive information? Is there a lack of protection for information in S3 buckets? Has there been a lack of data encryption? There is a laundry list of possible flaws.
Particularly in a cloud-native environment, the difficulty in ensuring data security arises from the endless ways in which data might move between systems. Data and the threats and vulnerabilities it presents should be transparent across all systems at all times. However, this is far from the truth.
Putting data security foremost begins with the coding. So, in terms of coders: Take a left turn. In 2018, 57% of security teams have switched security left, or intend to this year, according GitLab. Put security measures in place as early as possible in the development process.
Unfortunately, shift-left usually only implies that extra work is allocated to the technical team. For instance, they can ask them to fill out surveys and questionnaires based on the premise that they are well-versed in the varying data governance needs of different countries’ economies, regions’ marketplaces, and highly regulated sectors. Those aren’t the actions of programmers.
As such, there are three pillars that must make up a data-first security strategy: It safeguards against (1) security vulnerabilities, (2) mistakes in bespoke business logic, and (3) additional security liabilities (not every breach involves a bug).
Please, no more security flaws
Risk reduction is at the heart of security. Introducing a new piece of hardware or supplier violates this fundamental rule. Of course, SolarWinds is on everyone’s attention, but new competitors appear every day. Not only does it provide a challenge for the security team, but also for the SRE/Ops team, to have a new tool integrate with your production system. When we do data discovery on our production infrastructure, we are looking at real-world values and prospective customer data, the same thing we are attempting to keep safe. Avoiding access to critical infrastructures and data may be the best strategy to avoid becoming another danger.
Given that a data-first security approach necessitates familiarity with sensitive data, the fact that discovery can be carried out only by inspecting the codebase may come as a surprise, especially given that traditional data loss prevention (DLP) and data security posture management (DSPM) solutions conduct discovery on live data. Metadata (but not real data) is what we have access to in the codebase, and it’s true that we can’t change anything. Surprisingly yet, this method of uncovering secret information is also very precise. Indeed, the abundance of available contexts makes up for the absence of values, which is essential for categorising.
Subtly charming pop culture geek. Amateur analyst. Freelance tv buff. Coffee lover