Combating the Notorious Nine with Zero Trust Data Security

Image Attribution: Flickr

Businesses and organizations are increasingly moving their data to the public or private clouds to take advantage of the cost-efficiency, flexibility and scalability. However, as the recent attacks on Anthem, Premera Blue Shield, Sony, Dropbox, Target and others have shown, security remains a major barrier to cloud adoption.
The Cloud Security Alliance surveyed industry experts to identify the top nine threats, which they labeled as the “Notorious Nine.” Before discussing solutions to these major threats, I’ll provide a brief description of each of them below.
1. Data Breaches. The cloud exacerbates this old threat by enabling more ways for hackers to get in. One example is a virtual machine using side channel timing information to extract cryptographic keys from other virtual machines on the same physical server.
2. Data Loss. Malicious attacks, accidental deletion by the hosting company and natural disasters are among the sources of data loss, which ripples into the bottom line. For example, employee productivity and other resources now have to be diverted to recover or recreate the data. If terabytes are lost, then the organization also could incur the cost of bandwidth to transport the replacement data. At the very least, its WAN connections will be tied up for an extended period disseminating the replacement data.
3. Account or Service Hijacking. Like data breaches, account/service hijacking is an old threat that the cloud exacerbates. For example, hackers now have more opportunities to eavesdrop, manipulate data, disrupt services and redirect employees, customers and business partners to websites designed to facilitate additional attacks.
4. Insecure APIs and Other Interfaces. Without APIs, cloud services grind to a halt, which is one reason why they’re attractive to hackers looking to disrupt an organization’s ability to do business. APIs also have the inherent risk of providing a third party with access to some of an organization’s most important assets.As the Target breach shows, those third parties also sometimes unwittingly open back doors for hackers.
5. Denial of Service. Distributed, asymmetric application-level and other DoS attacks cost businesses money by, for example, tying up resources that should be serving customers. Their bottom lines can take a hit in other, less obvious ways, too. For instance, DoS attacks consumes compute cycles and network resources that victims typically have to pay for because hosting companies and service providers won’t sympathize and knock it off their bill. That’s insult on top of injury.
6. Malicious Insiders. The cloud makes assets available to people who might not have had access when those were on premise. When some of those people go rogue – such as a disgruntled former employee of the business or the hosting company – those assets are vulnerable.
7. Abuse of Cloud Services. The cloud provides businesses with compute power that they might not be able to afford if it had to be on premise. The same benefit applies to hackers who harness it for facilitating DoS attacks, distributing malware and cracking encryption keys.
8. Insufficient Due Diligence. The cloud provides so many benefits that organizations sometimes overlook all of the policies, procedures and best practices that are key for mitigating security risks. Sometimes that starts with not adequately vetting cloud providers to ensure that, for example, they have security policies capable of meeting the organization’s needs, including compliance with industry- and country-specific laws.
9. Shared Technology Issues. Many cloud services use shared resources, which means risks are shared, too. For example, if a hypervisor is compromised, then all of the organizations sharing that node potentially are at risk.
Affecting the Bottom Line
These threats provide serious real-world detriments to an organization’s bottom line in a number of verticals such as financial services and healthcare. For example, a recent Kaspersky Lab study found that the group named “Carbanak,” stole $1 billion from 100 financial services worldwide.
These hackers and cyber criminals are constantly targeting sites and services such as credit cards, banks and other financial institutions through distributed denial of service (DDoS) attacks. DDoS attacks prevent an organization’s customers from using their website and mobile app for hours or days, which can lead to churn through a lack of trust and a bad customer experience. It’s also utilized as a mean to distract banks’ security and IT staff so they can steal electronic funds.
Consumers have made it clear that they will not tolerate their banks having a lack of security guarding them from these attacks. According to a survey conducted by Harris Interactive, 71 percent of U.S. adults would be at least somewhat likely to switch to a different bank if they became a victim of online banking fraud at their current bank.
To protect against the increasing sophistication of hackers and security threats, there are multiple different information security models organizations and financial institutions can implement. Forrester Research introduced a “Zero Trust” security model back in 2009 which basically treats all data communications as untrusted until verified. This model looks at redesigning networks for today’s critical workloads and technology transformations such as virtualization, but also to take a unified approach to both networking and security. Forrester focuses on the data, and on how to deliver the right data to the right person on the right device in a secure way.
In a Zero Trust approach, networks are designed to enable segmentation of resources and access monitoring, but to also share functionality and global policies. The approach allows all users to access the network, but not all users to access all data, thus enabling mobility, high availability and the use of cloud infrastructures without compromise to security, Forrester claims. Adding encryption to all level of data communication will further enhance the cloud security for any organization.
How Zero Trust Encryption Can Be Used to Negate the “Notorious Nine” Threats
To alleviate security threats, companies will benefit from using security encryption solutions that can tackle encryption both when data is at rest and in transit. Encrypting data throughout the entire process mitigates weak points where cyber criminals can gain access.
End-to-end encryption is critical for combating the “Notorious Nine” threats – ultimately maintaining the most secure network. With encryption, even if firewalls or other safeguards fail, hackers will not be anything to do anything with the data due to a lack of keys. In addition, unlike other security protocols, such as Secure Socket Layers, encryption does not cause computer-intensive processing to function. Therefore, encryption provides the necessary security, without negatively affecting the end-user experience.
The ideal encryption solution also uses a streaming architecture that minimizes overhead and reduces latency. Streaming encryption also can reduce the amount of data transmitted over the networks, increasing efficiency. This is particularly valuable when employees use mobile devices over cellular because less overhead means less chance of exceeding their monthly data allotment.
By implementing Zero Trust encryption as a service, companies can combat the “Notorious Nine” without tradeoffs in user experience, network performance and cost and in the process keep their brand out of the headlines.