With a record number of highly publicized career-ending data breaches, it has been a difficult time to be a CIO / CISO over the past 12 months, and there are no signs of things getting easier in the near future. The industry is facing the coming together of two key trends in data security: stronger regulatory requirements from authorities across the globe, and increasing levels of sophistication shown in the tactics of malicious hackers. Regulations such as GDPR in the EU and HIPAA in the US healthcare industry have redefined what is considered a data breach, and the threats to businesses are increasingly involving human targeting and social engineering to gain access to valuable personal data.
Protecting the personal data that an organization holds requires a comprehensive approach rather than just perimeter defense. It should be secure by design, protect against the internal threat from employees unintentionally complicit to a data breach, as well as aligned to the trajectory of data security priorities now, and indeed in the future.
End-to-End Encryption (E2EE): the silver bullet?
Therefore, minimizing this unhealthy reliance on data reduction is really the only option for delivering an acceptable cost per terabyte alongside data encryption. In direct contrast to all-flash, storage solutions that take a software-defined approach to achieve this will be the foundation needed to achieve the level of data security required by today’s regulatory environments, and tomorrow’s cyber threats.
Encryption of data can occur at many levels throughout the data center stack right from inside the storage array to the application itself.
Encrypting data at the storage layer (at rest) has always been the go-to strategy, as storage arrays can encrypt the data instantly without any performance penalty. The CIO is therefore happy as they can check the ‘encryption’ box under the impression that the data is fully secure. However, this is far from the case, as the attack surface for businesses is broader than a direct attack on data storage and encryption, as this layer cannot protect data in flight.
According to Verizon’s 2018 Data Breach Investigations Report, 93 percent of breaches were caused by phishing attacks sent to the company's internal employees. Today’s phishing attacks are more sophisticated than ever, utilizing social-engineering which can fool even the most savvy employees into clicking on malicious links or sending sensitive data to fraudulent parties. If businesses only encrypt data at the storage level, the data that these fallible humans have access to and are working with is completely unencrypted and therefore at risk as it transitions across layers such as databases, applications, and virtual machines. One human compromise and a malicious attacker has unfettered access to personal data.
As such, encryption must be applied much further up the business and more comprehensively across the technology stack, so that wherever the data resides or is in transit, it is immune to a data breach and the consequences of such events (See GDPR Article 34 Paragraph 3 as an example). After a data breach, CIOs who don’t adopt this updated gold-standard to protect customer data will undoubtedly be asked why they haven't.
The collision with modern data storage
Whilst implementing encryption at the application level is an emerging critical requirement to combat security threats, it can present a huge problem in the face of the realities of modern data storage. Further, the common use of All-Flash Arrays (AFAs) in data centers hailed by many as the future, is colliding head-on with the ability to implement E2EE where it is needed most.
AFAs rely heavily on data reduction to deliver their high level of performance at a workable cost to enterprises. The existential problem for AFAs in this scenario is that implementing E2EE fundamentally defeats data reduction! If a business’s data reduction ratio goes down from 4:1 to 1:1 as a result of encryption for example, the already sky high cost of all-flash is multiplied fourfold – a proposition that is simply untenable for the business.
Therefore, minimising this unhealthy reliance on data reduction is really the only option for delivering an acceptable cost per terabyte alongside data encryption. In direct contrast to all-flash, storage solutions that take a software-defined approach to achieve this will be the foundation needed to achieve the level of data security required by today’s regulatory environments, and tomorrow’s cyber threats.
Businesses must realize that their technology investments must support them on their future data security trajectory. Any infrastructural decision made now that is unable to implement end-to-end encryption is simply another accumulation of technological debt, and could be the undoing of businesses in the new era of personal data protection.