The headlines are clear. We have a serious problem with data protection despite all the talk about cyber security. Up until now, all efforts to protect digital assets have been concentrated on edge protection, from firewalls, to intrusion detection; the end result is that our defense systems are creating what has been defined as a French Baguette, hard and crunchy outside and soft and chewy inside. Judging by the exposure due to the method used to compromise SolarWinds, a primary tool to protect systems, those efforts are not as effective as they need to be. Even Microsoft was impacted by this attack, allowing hackers access to their most guarded information, namely the source to some of their various software products.
One of the most damaging types of attacks involves healthcare organizations. Despite the strict HIPAA regulations and the hefty fines it imposes when patient records are exposed to unauthorized actors, just over the past few months a number of well-known as well as lesser known healthcare organizations have suffered data loss, impacting their business financially and allowing their patients’ personal records to be published on dark web. UPS just reported that the healthcare systems of one of its partners responsible for their drivers’ medical tests was hacked, allowing the bad actors to access and steal the medical records for the drivers. Leon Medical Centers and Nocona General Hospital were targets of ransomware after hackers copied the health records of tens of thousands of patients. All these hospitals and healthcare organizations have robust edge protection and yet they still fell victim to hackers. But, considering the hackers succeeded in penetrating US government agencies and Microsoft, one cannot expect a more robust defense system to have been employed by hospitals and clinics. Edge defense systems simply cannot be counted on to protect any organization’s digital assets. There will always be a weakness the hackers can exploit, and once they get past the hard and crunchy edge systems, they have nothing but the soft and chewy internal systems which allow easy access to supposedly authorized users.
It is obvious from the edge defense method’s track record that there needs to be more attention paid to the actual digital assets themselves. It has been known for a few decades that utilizing encryption algorithms is the only way to protect sensitive data. If important digital assets are only stored in encrypted form, if and when hackers get past an organization’s edge defenses, they will not gain access to readable data; and yet, there is hardly any organization that uses encryption to protect confidential and sensitive data beyond what has been deployed for credit card transactions and some emails. This is due to the fact that encryption has had very high overhead when it comes to encryption key management and it makes sharing data with partners in a supply chain exponentially difficult to achieve; therefore, there is a need for a new approach and solution to encryption to increase adoption of date encryption. For organizations to opt for encryption, the encryption key management and sharing data with partners must become invisible, requiring no effort beyond what organizations have in place to interact with their data.
We have managed to invent a new approach to data encryption and key management that automates encryption key management and facilitates third party integration without requiring organizations to make any changes to their daily interactions with their systems.
To be continued…