We can spend a lot of time—and hot air—looking for the specific vulnerability or the specific person who was responsible for but didn’t apply some specific patch or update that could have prevented it. That, unfortunately, is looking at the problem in a way that won’t result in a real solution. I’m not excusing vulnerabilities, and I don’t in any way want to discount the impact that data breaches have on businesses and individuals: it’s easy to see the effect on companies, and I’ve been the unhappy victim of identity theft in one of the well-publicized breaches myself.
It’s in the Numbers
Yahoo still tops the list, in terms of the number of people affected. Yahoo disclosed in 2016 and 2017 that that three billion accounts had been compromised in 2013 and 2014. The impact on individual, let’s call them “end-victims” was huge, as their names, addresses, telephone numbers, birth dates and security questions were all exposed. The impact on Yahoo itself is sobering: in the midst of an acquisition at the time, the financial hit was easy to see as an estimated $350 million was lopped-off their selling price. (Reference — https://www.csoonline.com/article/2130877/data-breach/the-16-biggest-data-breaches-of-the-21st-century.html, October 11th, CSO Magazine)
While not the largest, the Equifax breach really hit hard, as, by their own account, Equifax aggregates information on over 820 million individual consumers and 91 million businesses around the world. ( http://www.equifax.com/about-equifax/company-profile October 24, 2017). And we trust(ed) them. They’ve got it all. In fact, when my identity was breached in a low-tech phishing scheme in which someone in the accounting department of a former employer of mine handed thousands of employee W-2’s over to an imposter CEO, Equifax was one of the three credit reporting agencies I rushed to to lock-down my credit. To protect myself.
2017 has been a very big year for hacks and breaches. Verizon and Equifax are probably the best-known (and perhaps the largest), but there have been countless others: Hipchat, Wonga, countless healthcare and other organizations hit by WannaCry. Even the dark web got hacked in 2017: when Freedom Hosting got hit, the breach took down one fifth of the dark web. (ZDNet, September 20, 2017 – http://www.zdnet.com/pictures/biggest-hacks-leaks-and-data-breaches-2017/2/). Credit cards, social security numbers, private photos, intellectual property – it’s all vulnerable.
Breaches are going to happen. We need to take a step back and do the right thing. Store data securely so that when a hack happens, the data is protected. A well-designed storage solution will take into consideration compliance needs and implement proper security protocols and best practices in the <architecture.
Security Regulations Offer Real Guidance – Not Just Red Tape
Compliance regulations have a foundation in reality, even if sometimes they can feel onerous. Some commonalities across different regulations describe basic, commonsense safeguards:
- Role-based Access – Not everyone should have privileged access to sensitive information in an organization. Rose-based access that provides appropriate levels of access for users, administrators or others is a basic safety mechanism for controlling access to sensitive data.
- Data Encryption – At rest (while stored) as well as while data is in transit — when uploading and downloading data.
- Data Integrity – Ensure that protections are in place to prevent data from being tampered or altered (intentionally or unintentionally).
- Network Security – Firewall rules and network segmentation to protect systems and services.
- Auditing – Record all transactions and changes made to data and access privileges.
We can help. Scality RING can be a strong ally in your plan to meet data availability, retention and security requirements. And, you can use its multi-geo options to distribute data across availability zones to ensure data access even when an entire data center—and even part of another—are lost. Download the whitepaper “Data Security in the RING” for more information on how to accomplish this.