Organizations that want to survive and thrive in the 21st century need every advantage they can get: top talent, top strategies and of course, top technology. Technology, after all, has helped make business transactions faster, more transparent and more efficient. Big data, cloud computing, the Internet of Things (IoT), robotics, bots and other forms of artificial intelligence are all technologies that your organization is probably considering or reviewing, if they are not already in use.
These technologies also blur or eliminate traditional enterprise perimeters, and present new conduits for cyberattacks. We live in a world of malware, ransomware, spear phishing, insider threats, nation-state attacks, APTs, SQL injections and social engineering. While there are no silver bullets to protect against this reality, CXOs who “follow the money” and focus on an end-to-end approach to data protection can become enablers for new business and technology use, while also promoting the safety of existing operations.
There’s No Data Protection without a Data Protection Plan
First, it’s incredibly important that CXOs have a comprehensive plan for protecting sensitive data regardless of where it is stored or how it is used. Most organizations start thinking about this in terms of compliance and regulation. Compliance and regulatory standards represent minimum requirements for operation, but CXOs should consider them as only starting point. Given the rate at which threats evolve, even the most prescriptive regimes can’t guarantee that data will be safe.
If CXOs are serious about implementing an end-to-end data protection plan, they need to go beyond compliance and think about the need to secure data at each point in its creation, transmission and use. Some critical elements of this are:
- Secure identities – whether personal or for applications and devices
- Secure communications that ensure data isn’t exposed or altered in transit
- Secure storage of information that strongly controls access
- Secure use that only allows authorized users and applications
These security services rely on a set of underlying technologies for support: encryption, key management, access controls and digital signatures. If you’ve not approached these services before, even getting started can seem intimidating, but there are some good places to start:
- Meet the compliance bar for basic requirements
- Determine what data in your business is most sensitive, and all the places is it sent to, used, and stored
- Secure data stored and used on back end systems, as these are the biggest targets for data thieves
- Recognize threats posed to existing applications by building in additional security as the application evolves, updating your organization’s security posture as you update the application for new features
- When starting a new project, design the security into the project at the start. It’s tempting to prioritize time-to-market over all else, but data security requirements are least expensive and most easily addressed upfront
Keep in mind that your end-to-end plan should go step-by-step. While security is important, it’s best done right. A thoughtful, analytical, data-centric strategy goes a long way. Covering all our (data protection) bases, so to speak, was one of our motivations behind the marriage of Vormetric + Thales.
While the challenges we all face are immense, there’s also so much to be excited about. We live in a time of unprecedented technological growth and change. Which brings us to our next two topics, cloud computing and digital payments.
Protecting Your Data in the Cloud
Organizations are embracing the cloud in unprecedented numbers. Gartner estimates the revenue from the two top cloud providers (AWS and Azure) is over $14 Billion. By 2018 they estimate 50% of applications in the public cloud will be mission-critical.
One of the greatest concerns when moving to the cloud is the issue of the security or your organization’s data. It results from the fact that applications and data are no longer under your organization’s full control. And this becomes critical – after all, you can’t ensure that data and applications remain secure if you don’t fully control access and security. One of the best ways to mitigate this risk is to protect data stored in cloud environments with encryption and access controls. Buy this raises another question– who controls the encryption keys and access policies? Best practice dictates that the data owner should. By keeping control of the keys, organizations can control access to their encrypted data – even eliminating access from the cloud service provider. Today, the major cloud providers have acknowledged that in many situations, organizations need to control their keys, and they now offer Bring Your Own Key (BYOK) capabilities.
The new Thales e-Security organization is a clear leader in this area, with explicit support that enables local control of cloud data with BYOK as well as with traditional encryption and access controls across Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS) environments.
Good examples for IaaS and PaaS including Amazon’s AWS Key Management Service (KMS) and a similar services in Microsoft Azure cloud with Thales e-Security offerings and a completely enterprise controlled capability using the Vormetric product line. But the most exciting area for BYOK is SaaS, where enterprises have had no control over their data in the past. Salesforce is setting a high bar, offering customers the capability to completely control the keys that encrypt their SalesForce data within the application, keeping the keys within the customers local environments and eliminating access by Salesforce. Again Thales e-Security’s Vormetric product line is already supporting this, with a Key Management as a Service (KMaaS) offering for enterprises that addresses enterprise compliance and best practices for managing of encryption keys without exposing data within Salesforce to outside access.
Expect other SaaS application providers to follow Salesforce’s lead, giving the control of enterprise data back to their enterprise customers using BYOK.
Balancing Convenience and Security in Mobile Payments
Mobile payments are popular. They’re fast, they’re easy, and they’re convenient. They’re far easier than inserting a card into a point-of-sale, entering a PIN and waiting for transaction authorization. But while convenience may be king for the consumer, convenience isn’t always synonymous with security.
The mobile device is an inherently untrusted device, and for it to play a role in the payments ecosystem a comprehensive security infrastructure needs to be established to support the evolving mobile environment.
There are three key areas that should make up this security infrastructure: Secure identities; security of data in transit; and security of repositories and processing environments (sound familiar?). The good news is that there are proven trust models for minimizing the risk of fraudulent transactions while protecting all critical keys and payment credentials – such as access controls, encryption, digital signatures and data access monitoring. All of these technologies limit exposure to threats and enable user behavior monitoring that reveal when credentials have been compromised.
The takeaway here? When pursuing digital transformation though mobile payments, the architecture and security concerns must be addressed at every level of the solution – Encryption, enabled by secure identities, is a basic requirements at every level.
The notion of security as a business enabler brings me to my next topic, the Thales/Vormetric acquisition.
A Unified Platform: Better, Faster, Stronger
Our mission statement, quite simply, is to be the undisputed leader in data protection and digital trust management everywhere data resides. In short, we want to enable businesses to securely conduct business. It’s no easy feat, but we’re up to the challenge.
According to MarketsandMarkets, the cybersecurity market will hit $170B by 2020. The increase in data breaches, proliferation of data to the cloud and to mobile devices, as well as the growing demand for compliance and data privacy have increased the need to protect data at every level.
The new combined business will secure and obfuscate data in more environments, in more ways, providing the most comprehensive automated key management throughout the data lifecycle. With the most secure techniques and recognized industry certifications, the company will deliver market-leading non-disruptive, easy-to-deploy and manage security at the lowest life cycle cost.
Both Vormetric and Thales have a heritage of supporting the world’s leading cloud companies. Through our unified data protection platform we plan to further accelerate our cloud security offerings and strategy by securing even more cloud data: on premise (private cloud), in the public cloud (IaaS, SaaS, PaaS), at the database, container file, structured and unstructured, whether at rest or in motion.
I look forward to leading the new collective Thales e-Security team and our partners as we begin the journey to create the undisputed leader in data protection and trust management.