January Cloud Security Roundup
- Ariella Mankowitz
- 4 minute read
Missed the hottest cloud news of the month? Don’t worry we’ve got you covered in this month’s cloud roundup.
This month we focused on data leaks, protection and all things encryption, as well as cryptographic trends for 2021 and IBM's new FHE cloud testing environment.
Save time and check out our summaries below.
Title: Scope of Russian Hack Becomes Clear: Multiple U.S. Agencies Were Hit
Writer: David E. Sanger, Nicole Perlroth and Eric Schmitt
Summary: The Pentagon, Fortune 500 Companies and multiple intelligence agencies have been compromised by Russian Intelligence after hacking the software, SolarWinds. A tainted software update was downloaded by about 18000 government and private users giving the hackers access to copious amounts of data. This attack went undetected by United States Officials until a private cybersecurity firm, FireEye alerted American Intelligence officials. While not every company who utilised SolarWinds software appears to have been compromised, investigators are still trying to understand and determine the amount of American data leaked to the Russians. And in a turn of event, the most ironic element of all was the obscure statement released by The Department of Homeland Security: “The Department of Homeland Security is aware of reports of a breach. We are currently investigating the matter.” Keep in mind that this is the very department who encourages companies to come forward and disclose to their customers when they have suffered a breach. Regardless, the extent of the stolen data is still being determined.
What Our Experts Had to Say About This: The Solarwind hackers gained access through cloud-based services operated within the company, proving that modern cloud architectures should assume data breach. Managing copious amounts of data like Solarwinds does, begs the question of why all this data was not heavily encrypted, protecting the sensitive information even in the event of a data breach. Encrypting data at all times (in transit, in rest, in use) significantly reduces the risk of a data breach and especially the fallout. Organizations need to be putting measures in place to combat the effects of a malicious attacker, or even moot the outcome all together.
Title: An agency can run a completely compliant network and still be breached by a trusted user’s account being exposed.
Writer: John Harmon
Summary: Following the Solarwinds incident, Harmon rethinks the way organizations typically approach security requirements. What has come to the fore is that compliance is not security. Compliance is accountability, meaning that just because an organization fulfills all the compliance requirements does not mean that they are secure. For instance, compliance fails to assess internal attacks. It is clear that there needs to be a shift in mindset from “Protect the network” to “secure the assets and data”; only then will organizations stop cleaning up breaches and start preventing the damage before it is done. By securing data and ensuring that it is only accessible in its plain text by a select number of individuals, organizations can collaborate more freely with other enterprises. In doing so organizations can even enhance the technologies that monitor and control access to their data, and do not have to be locked into one vendor.
What Our Experts Had to Say About This: At the end of the day organizations need to protect their data, this does not happen by checking off a list issued by some regulator, it happens by diving deep into an organization’s ecosystem and pinpointing exactly where their weaknesses are. Don’t get us wrong, the regulations are there to protect the people and to give a guide as to what is allowed and what is not. However, protecting data starts and ends with the data and and an organization needs to begin by first focusing on achieving the highest level of data protection.
Title: IBM launches experimental homomorphic data encryption environment for the enterprise
Writer: Charlie Osborne
Summary: IMB has recently announced a Fully Homomorphic Encryption cloud testing environment for enterprise. This will enable clients to begin experimenting with the technology and discover how it would integrate within their existing IT infrastructure and data. FHE allows data to remain encrypted while it is being processed, thereby ensuring that data remains encrypted and secured at all times. Previously FHE has been impractical in the commercial sector due it requiring a large amount of compute power to work with the encrypted data. However, due to industry advancements, FHE is now becoming more applicable to real-world use cases. Using IBM’s environment, organizations can begin to understand the full potential of FHE and all it has to offer for the future of cloud computing and privacy.
What Our Experts Had to Say About This: In a world where one should assume a breach even before it happens, encryption is the last line of defense. However, until FHE it was not possible to use encrypted data for computations. FHE is regarded as the “holy grail” of cryptography and it is the only form of homomorphic encryption that can handle arbitrary computations on the ciphertext. However, FHE has not had a fast enough performance time to be able to process data in real-time for customer facing applications. Kindite’s Collaborative Encryption Solution could solve all the FHE drawbacks especially regarding its real-time data processing. Kindite’s technology acts as a bridge between the application and the database, allowing the data to remain encrypted while all standard operations are performed, with no need for code changes.
Title: Six cryptographic trends we’ll see next year
Writer: Ryan Smith
Summary: 2020 was a year of challenges and growth and as the new year approaches, Ryan Smith predicts a number of cryptographic trends to expect in 2021.
Below are our top 3 predicted trends for the year to come:
- The cloud and its role in financial services - Organizations are becoming more invested in the cloud and as such there is a broad movement towards cloud-based encryption and key management solutions. Cloud Providers are also offering more robust security solutions that allow organizations to have more control over their keys and data access.
- BYOE adoption will increase - this enables organizations to determine the level of control that they want to have over their encryption keys. By doing this, organizations are able to manage the security of their data at all times.
- The significance of cryptography for DevSecOps - The goal is to give DevSecOps teams the tools they need to integrate security and more quickly identify and troubleshoot problem areas. This is specifically referring to key management and HSMs (Hardware Security Modules). HSMs are particularly crucial for code signing, thus the goal would be to centralize and automate code signing certificates, secure key generation and certificate storage so that it can integrate with CI/CD systems. To understand more about how HSMs work check out our blog post>> https://blog.kindite.com/the-gap-between-hsm-security-and-cloud-environment-needs
What Our Experts Had to Say About This: The cloud is the future, 2020 was proof of that. And so now how to secure the cloud and protect resources remains a concern for organizations, especially as the WFH mandate continues into 2021. A lack of control over our assets and the way we secure them leaves us vulnerable and reliant, hence the increase in BYOE. As such, Kindite anticipates that the cloud will continue to rise in its popularity as organizations have realized the benefits of flexibility, growth and security that the cloud could offer, so long as data remains encrypted at all times. With this being said, along with an encryption solution there are other aspects that also need to be acknowledged, this is where HSM and Key Management solutions come in. 2021 is going to be an interesting year for the cryptographic arena, and we at Kindite look forward to keeping you informed.