A report from DLA Piper states that more than 160,000 data breach notifications have been reported across 28 nations in the European Union since the General Data Protection Regulation (GDPR) went into effect in May 2018 — an average of more than 260 data breaches per day. And, when you consider that since California's 2004 law on privacy breaches, over 9,000 breaches have been recorded and 11.5 billion records have been exposed, it is evident that threats against sensitive data are unprecedented.
Is this the new normal? Can there be any expectation of security and privacy when even the most stringent of data privacy regulations appear to have little effect?
Companies, government agencies and consumers must change their behavior if they expect to stem this tide. They must adopt disruptive defenses to make it extremely hard for attackers to compromise data. What is a disruptive defense? It is an uncommon defense, based on existing industry standards, that raises application security to higher levels than what is currently used by most applications.
There are six disruptive defenses that, when deployed, create significant barriers to attackers. They are as follows:
1. Eliminate shared-secret authentication schemes.
This includes passwords, one-time PINs, knowledge-based authentication, etc. This should be replaced with public key cryptography-based authentication that uses cryptographic hardware to protect keys.
Public key cryptography authentication (also known as "strong authentication") does not store secrets on the server. The secret remains with the user, stored in special hardware available on business desktops, laptops, modern mobile phones, smartcards and security keys. This is a modern authentication standard that eliminates passwords and is supported by all major operating systems as well as browsers. According to NIST, it provides the "highest assurance" among authentication technologies currently. Eliminating a 1960s authentication scheme on a 21st-century application should be the first defensive step of every web application.
2. Ensure the provenance of a transaction before it is committed.
This is accomplished through the use of a digital signature on a transaction, applied by the user using the same technology for strong authentication. Not only does this establish an authoritative source for the transaction (since only the user could have applied that digital signature with their consent), but it provides the business with a transaction confirmation, which is becoming increasingly necessary in many business environments.
3. Preserve the confidentiality of sensitive data within the application layer.
This excludes the practice of encrypting data within the database, operating system or disk drive. Encrypting sensitive data has become mandatory via multiple recent regulations. But application developers fool themselves when they use data at rest (data in a database, operating system or disk drive) encryption instead of ensuring that only authorized applications can decrypt sensitive data. Systems are rarely at rest; they're working 24 hours a day and decrypting data for attackers when a legitimate user's password-based credential is compromised. By combining disruptive defenses No. 1 and 3, applications will ensure unauthorized users never get to see decrypted data.
4. Preserve the integrity of a transaction through its lifetime.
This is accomplished, once again, by a digital signature, but it is applied by the application itself. While a digital signature acquired at the source of a transaction guarantees authenticity, transactions are modified in many applications. When data within the transaction changes, a new digital signature must be applied by the application to preserve the integrity of the modified transaction. Verifying the digital signatures of a transaction from its origin to its current state assures applications that unauthorized changes have not been made to data.
5. Use cryptographic hardware wherever cryptographic keys are stored and used.
Cryptography represents the last bastion of defense when protecting sensitive data. As such, cryptographic keys are the only objects standing between an attacker and a major headache for your company. While convenient, keys protected in files are protected by passwords and are subject to the same attacks that compromise user passwords. By using cryptographic hardware — present in all modern systems — applications create major barriers to attacks. While it may be argued that cryptographic hardware is also subject to attacks, evidence shows that these attacks are neither scalable nor common, as attackers would need access to the physical computer on which your cryptographic keys are stored to be able to compromise the keys.
6. Ensure cloud applications access cryptographic services from within a secure zone.
While the cloud offers many business benefits, attempting to access cryptographic services from within a public cloud's virtual machine is a recipe for disaster — the credentials necessary to authenticate to the cryptographic services are vulnerable to compromise in a public virtual machine (as some recent breaches highlight) — enabling attackers to use legitimate credentials to command key management systems to decrypt sensitive data for the attacker. Using an application architecture that guarantees access to cryptographic services only from a secure zone eliminates that risk completely.
All these disruptive defenses are based on industry standards and have been around for decades in most cases. Security-conscious professionals recognize protecting data by focusing on system security is a secondary defense; network defenses are generally nonproductive and should be minimized because the use of disruptive defenses assumes an attacker is on the network. The objective, now, is to protect data, even in the presence of this threat.