If you can believe it, it’s been 10 years since Steve Jobs introduced the first iPhone. It was sold only by Cingular Wireless (AT&T), and used GPRS and EDGE for data transfer. Needless to say, much has changed since then. And mobile computing isn’t the only technology that has captured attention and taken hold in the enterprise. As we look at how recent technology advancements have impacted the industry, we should also note that it has greatly affected every organization’s ability to secure their data.
Starting with cloud computing, the last 10 years has been disrupted by Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) offerings. Industry stalwarts that were selling millions of dollars in hardware to every organization’s data center felt the tectonic shift toward the cloud. The rise of services like Salesforce, Amazon Web Services, Google Cloud and Microsoft Azure has been a direct result of organizations of all sizes seeing the cloud’s vast benefits, such as cost savings, agility and improved experiences for customers and employees alike. I expect to hear more about Google Cloud’s plans during the Google Next event later this week.
Yet when it comes to security, there are some precautions that organizations must take when putting data in the cloud. Cryptographic keys, used to protect the confidentiality and integrity of sensitive data, must be given a high level of protection – you should retain control of your keys. By keeping ownership and control over your keys, you can maintain the root of trust in your entire system and reduce the chance of losing them or having them stolen.
As I noted above, it’s been 10 years since the original iPhone was introduced and transformed our world. It might surprise you to know that a year after its launch, there were 800 apps in the App Store. As of January 2017, there were 2.2 million apps available. But that is still second place, as Google Play has more than 2.6 million apps in its store. It is also important to note that business apps are the second most popular category, after games. This highlights the impact that smartphones have had on how we work, not just how we play.
Employees are more likely to be storing sensitive data in their smartphones, right next to their gaming and productivity apps. The challenge is that smartphone apps are often collecting and storing data – out of control of IT, and sometimes without any security protocols to protect it. Think about it this way: Your organization’s sensitive data could be sitting in every employee’s pocket. If sensitive data is collected by a mobile app, there is a risk that that data will get into the wrong hands. Pervasive, transparent data encryption and strong security policies will help to mitigate that risk.
Business Insider Intelligence projects there will be 34 billion devices connected to the internet by 2020, up from 10 billion in 2015. These devices can be found at work, in our cities and in our homes.
From implantable defibrillators to industrial control valves, from smart meters to fitness trackers, there are more devices connecting to the internet each day. IoT brings increasingly smart objects and a higher connectivity between them. Industries such as travel; transportation; industrial manufacturing and equipment; healthcare; and energy are adopting IoT in greater numbers.
I believe we are on the precipice of a major technology shift – a move to machines driven by advances in AI and machine learning. This incredible opportunity and resulting impact will compel businesses to rethink the parameters of privacy and alter their data protection strategies, not to mention compliance standards. Why? While IoT has enormous potential to improve our lives, it is apparent that it comes with a host of security challenges that have not yet been fully addressed. This is where Thales can help by providing cryptographic credentials that establish a unique identity for each device – a digital birth certificate, if you will. With so much at stake, security needs to be required and installed at the manufacturer level, including introducing digital birth certificates into devices right from the start. It may not solve every security woe, but it’s certainly a good first step.
Another technology that has gained a large following is containers, and Docker in particular. In the modern development environment with practices and processes in line with agile development and DevOps, Docker has caused quite a buzz as probably the most-talked-about technology in 2016. In fact, Docker adoption grew by 30 percent last year, and it is reaching larger enterprise customers, not only small to mid-sized organizations.
We happily embrace this new technology that developers are clamoring for, but as a CISO, you need to ask yourself, What is the risk? While Docker and other container vendors are putting significant resources into areas such as vulnerability scanning, there are other issues at hand when deploying apps in containers, beyond the usual application security challenges. For example, Docker process on the host runs with root privileges, which means Docker administrators have access to all Docker images and linked data sets. Why should you care? Because a root-privilege escalation attack on the host has the capability to expose any sensitive data stored in Docker environments. At the same time, Docker image and data-specific controls are minimal. As Docker is usually implemented in cloud or shared virtualization infrastructure, there is risk of exposure from service providers hosting images from multiple customers or sources.
CISOs using Docker or container technology in general should encrypt containers, institute policies that limit access and use, allow Docker to be used only in authorized environments, and restrict access to data resources used by Docker.
Perhaps the newest technology to gain widespread attention is blockchain. The technology behind Bitcoin is being credited as major game-changer by Wall Street. Wall Street wants to use blockchains to simplify the way it processes transactions. Blockchain is a ledger that maintains a growing list of data records or transactions – but it’s so much more than that. It’s shared publicly, decentralized and automated. Since no person or entity controls the ledger, and it relies on consensus to allow transactions, it is inherently more secure and trusted. Entries to the ledger cannot be revised or tampered with – not even by the operators of the database. You can see why a fraud-resistant technology would be of great interest in the financial sector.
Blockchain adoption is in its infancy, but interest is high. According to a recent survey from Deloitte, 12 percent of big businesses may have already deployed blockchain projects. While popular with financial services, especially in the area of payments, there are many opportunities for blockchain to disrupt the status quo, such as voting, IoT, online music, healthcare, law enforcement, and even cybersecurity. I can see a number of industries that would benefit from a system that allows multiple parties to transfer and store sensitive information in a space that’s secure, permanent, anonymous, and easily accessible.
A look back at technology advances over the last 10 years really drives home the idea that change is coming at a rapid pace – and there will be winners and losers along the way. It also makes me optimistic that our industry will continue to draw in talented minds to solve the security problems presented by these technology breakthroughs.