Addressing the Gap: Shifting to Ubiquitous Data Security

Addressing the Gap Shifting to Ubiquitous Data Security-01

A company’s security posture is only as strong as its weakest link. Identifying and fixing security flaws is clearly a never-ending struggle for security experts.

Traditionally, security has been implemented using a multi-layered, multi-vendor, multi-solution strategy. This boosted visibility but did not resolve the issues. For security teams, there are just too many vendors, too many levels, and too much complexity. Cybersecurity consultants provide specialized gap analysis services to identify the security flaws that attackers are eager to exploit in an organization’s security fabric. However, the loopholes gaps still exist.

Unfortunately, almost every piece of IT infrastructure possesses its own encryption scheme – if it has one at all. This adds a great deal of complexity to developers, IT, and even users’ lives. It’s difficult to tell if the data perimeter created is contiguous and complete. Is the data being encrypted right now? What level of encryption is being used? What is the location of decryption? Are the policies on access uniform? This mind-boggling complexity invariably leads to gaps and wasteful investment on layers upon layers of security protection.

Also Read: Three Cybersecurity Practices that CISOs Need to Adapt in 2022

Even worse, practically every server functioning today has a large hole in the data perimeter. Only two of the three states of data are addressed by all of those encryption solutions: data at rest and data in motion. However, data in use in a cloud or data center may be continually exposed. If data can’t be used and modified in real time, it’s meaningless. However, because data must be unencrypted for processing and must remain in the clear in memory during this runtime state, it becomes the most vulnerable. Insiders or attackers who get access to a host can help themselves to very valuable data

Also Read: Three Trends that will Shape Legal GRC in 2022

When protection is implemented inconsistently or when just some assets or attack surfaces are secured while others are left unprotected, security is compromised. The strength and value of an organization’s full set of data security controls are weakened by the lack of data-in-use protection. Consider the requirement to decrypt data using cryptographic keys. Keys are exposed in the same way that the data they are supposed to safeguard is. They must sit in memory in order to be used.

To close this gap and limit the shared responsibility and risk they bear with each of their customers, virtually every major cloud vendor has installed new hardware. This hardware may entirely encrypt data in use, denying insiders or attackers implicit or explicit data access and thereby expanding the data perimeter surrounding data in memory and data being processed. Encryption keys can be totally locked down using these confidential computing technologies. Previously, only complex, expensive hardware security devices could provide this level of hardware isolation. It’s now virtually ubiquitous, with all of the big cloud vendors providing it at no additional cost.

While these security features are widely available, they are rarely employed since they often necessitate re-architecting applications and restructuring processes. Because of this hurdle, most businesses are unable to use this technology. The incredible potential of bridging a substantial gap while also combining complexity into a single, ideally invisible data security platform is yet to be fulfilled.

This problem is being addressed with new software. The creation of a strong, single, contiguous data perimeter that stretches elastically across all cloud vendors, data states, and locations is made possible by invisibly integrating robust, hardware-rooted data security into the software stack itself. This, like virtualization, allows most applications to run within a data perimeter with no changes to code or IT processes. This will significantly minimize complexity, management, and maintenance costs. In what is effectively a confidential cloud, data can now be protected end-to-end using a single, robust, and consistent mechanism.

Other aspects of data security, such as cloud-based installations, are still necessary, but this effectively makes data self-secure. By default, this safeguards machine-learning algorithms, company secrets, intellectual property, and data subject to privacy laws and other regulations. The elimination of a simple memory-in-use flaw reduces the complexity of current security, closes dangerous encryption gaps, and gives businesses a significant advantage in the on-going war against attackers.