In the last couple of weeks, we have participated in several industry events, including the recent SAPPHIRENOW event hosted by SAP. I am a big supporter of these types of events as it is invaluable to be able to learn, share information, monitor market trends, and perhaps most importantly, speak with customers and have one-on-one conversations on what problems they need addressed and what they are currently lacking.
It is evident that organizations are looking to increase their value and maximize their technology investments by moving many business-critical applications to the Cloud. There are obvious benefits to this – cost savings, more efficiency in operations and enhanced ability to leverage analytics for more focused business decisions are just a few to name. However, to move all of this forward, customers are looking for new and innovative ways of protecting their critical business and data assets in our very volatile and breach-prevalent market. Security is challenging enterprise progression, and after attending several events recently, it is clear there is a discrepancy between the perception and reality by vendors on what customers actually want to fix this.
Companies and vendors continue putting out “new” solutions that are simply add ons to existing security investments, but it seems that customers are fed up with the security industry “add-ons” for promised enhanced security, as time and time again, the same old vendors are promising new and exciting solutions to protect companies and their data, yet major breaches keep happening.
I will be blunt – security add ons are crap. They are just a patch to stop bleeding so to speak, but they are not permanent solutions and they certainly are not innovative and new. Now, I am not saying that all current security solutions are crap, but we have had the current security practices for over a decade now, and while they have definitely worked in some cases, there are other well documented ones where they have blatantly not. This alone tells me that we need to re-evaluate how we are protecting our systems and data.
I am not saying that companies should stop purchasing specific security applications, CASB's, Firewalls, VPN's etc., but instead of bolstering the current systems with new patches and add ons, it is time that we ask ourselves if we are doing it right and providing enough trust and security to enable organizations to allow their customers to use that data correctly. Where we need to focus our security efforts is on the data itself, both at rest and in transport. The core focus must be on protecting the data at the foundation level.
Given that a business will easily spend millions to protect access to data, it would only make sense to secure the data itself as it comes through and sits in your database. But wait, you say we do that, right? Well yes, this happens with encryption, but there is a flaw - current database systems can encrypt stored data, but it is carried out in a way that anyone (human or machine) that has access to the system at any administration level generally also has access to the plain unencrypted data. This leaves a big come get me sign. That’s why at BOHH Labs we believe in offering database or specific field level security. All data that needs to be secured is removed from the source, encrypting it and storing it separately without changing the structure, enabling prioritization and control over every data point. We do this because it stops the inside hacking job. If the database does not contain the data, then a malicious actor who has gained root or admin privileges cannot run a simple query on the data, extract it, and have it available to them to sell to whoever they like, unlike traditional TDE Data Encryption or homomorphic encryption technologies!
By putting our security focus on the data itself, not just where it is coming from, where it is stored or being transacted to, it enables better protection for both external and internal threats that customers desperately need.
No comments:
Post a Comment