Why do we continue to see more and more data breaches each year – reported or otherwise? According to Jason Hart, VP of Cloud Solutions at SafeNet, if we look at how we do business and use IT today, it is essentially virtualized. “If you go back five or more years ago, you would back up your data on a tape, store it in a safe, or employ a third party to look after it for you.”
So what can organizations do to combat this new reality? “It’s all about data – data is everywhere”, Hart observes. “Organizations should stop thinking about breach prevention, accept their going to be breached, change their mindset, and think about how they will protect and store their data.”
In today’s business world, IT has transitioned to primarily virtual environments and the cloud to store and back up our data. “And what do we use to protect those environments?”, Hart asked Infosecurity during an interview at this year’s Infosecurity Europe in London. “Usernames and passwords” he replied. “So, some of the basics that we were doing really well have gone out the window because of the way IT has evolved, and I’m not surprised we are seeing more breaches as a result.”
Hart – a 20-year veteran of the security industry who specializes in authentication – joined SafeNet during its 2012 acquisition of Cryptocard. His company compiles a data breach scoring system, known as the Breach Level Index (BLI), and in the first quarter of 2014 alone, the SafeNet noted over a million data breaches (with an average of 2 million reported records every day), “mainly US centric at the moment”, he added, because of the abundance of notification laws within the country. “The scary thing is”, Heart continued, “this is only the breaches we are aware of – especially if you consider that any major breach can take up to six months to report, if it is disclosed at all.”
Also concerning, Hart pointed out, is that only about 1% of the breaches his company evaluated are what they consider “secure breaches”, where the data was protected via encryption and where the encryption keys were not stored in the same network location. He said it would be “really cool” if, one day, organizations that publicly disclose breaches do so willingly, and highlight the fact that they are “secure breaches” where the data was protected.
Hart, of course, is a proponent of two-factor authentication as a simple and cost-effective means to secure data, especially data held by third-party cloud providers. Yet, he lamented, many cloud providers do not offer such a mechanism, and even users shy away from free 2FA offerings, such as that provided by Google for Gmail and other cloud-based services. He observes that barely 2% of cloud providers allow clients to tie their own 2FA into the cloud-based service, with roughly the same number of cloud providers offering their own 2FA solution for clients.
“For cloud providers, it should be mandatory for them to allow users to use two-factor authentication, or let enterprises tie in their own two-factor authentication. Cloud breaches are overtaking internal ones”, he says, “because that’s where the data is being stored.”
“It’s up to customers to demand of their cloud providers that they supply two-factor authentication, or allow customers to deploy their own.”