Friday, February 6, 2015

Data Breaches: Why Store Data You Cannot Secure?

It has happened yet again. A massive data breach at a major corporation. Yesterday it was Target, today it is Anthem, and tomorrow it can be anyone else - possibly YOU!
This endless battle between attacker and defender is not new though.
Perhaps, as old as the human race itself. A caveman would have stashed his kill for a rainy day only to find someone else look for it, find it and pilfer it away.
What surprises me though is our tendency to create data hoards which are prime targets for data thieves. Reminds me of the days when wealth used to be stored in temples and churches making them the place to go for periodic plunder by marauders.
Why store the Social Security Number (SSN)? Does it really needed to be stored?: Use of Social Security Number to establish identity may be a matter of law and of convenience but I am not sure why corporations need to store it. I would think that once the identity is established (a trusted connection) using the SSN, the same should be discarded and replaced by a "Trusted Handshake Indicator" verifying that trust has been established. Not rocket science, somewhat similar to what companies do when they use your credit card number for a transaction and you do not want it stored by them for repeated transactions. The fact that the SSN is stored in the databases makes them more vulnerable to attack. If you store gold, tonnes of it, and afraid of it getting stolen you need to make sure it is as secure as Fort Knox. Or better still do not store it at all.
Why not distribute the data storage? Secondly if the SSN and other data has to be stored, why store it in a single large data warehouse where a single breach makes the entire store vulnerable. Why not distribute it over multiple warehouses, each with its own security and defenses. This way at least the scope of a breach can be contained and isolated. I know that conventional wisdom of yore was to build massive data warehouses to ensure quick retrieval and processing. And companies made huge investments to build those warehousing capabilities. But now technology has evolved. It is quite easy to pull data from disparate data-sources for transaction processing and reporting. (Think Google, it does not need all the information it searches stored on a single large server). The cost of a data breach can easily surpass the benefits of having all data stored in a single repository.
I am no data security guru and perhaps the above approaches are simplistic. Hey but we got to start thinking and challenging assumptions.
Will we get to a perfectly secure system? Never. You may build the best defenses only to find someone drive an armored SUV through the shatter proof glass windows (Gold Nuggets Stolen From Wells Fargo Museum in San Francisco)
This cat and mouse game between attacker and defender started in posterity and is likely to extend till eternity..........................

No comments:

Search Google

Google

Site Meter