This recent story on TechRadar illustrates precisely the problem of data security and risk governance faced by enterprises today in the vastness of their accelerated digital transformation. Clearly, the data in question is regulated under a variety of rulings – GDPR being the most obvious, but as this is insurance related, this falls under FSA, ICO in the UK, and if this is US related data, perhaps GLBA. That usually means scrutiny over handling and care, yet here, the data in question was left exposed to compromise all too easily. I’m sure the developer noted in the article was doing their best to meet business objectives and timelines with this Azure related project, but the breach points to avoidable gaps in cloud data security risk management, so how did this type of incident happen to well-intentioned enterprises?
While regulations like CCPA and GDPR promote the notion of ‘Secure by Design’ and ‘Privacy by Design’ principles, at the end of the day, it’s often left up to developers to deliver under extreme pressure. A new generation of early-career software developers brings much-sought high-value skills in cloud app dev either from experience in fast-moving cloud-first startups or recent professional training, but they often rely on those very platforms for security without deep awareness of their limitations in respect to resilience and security completeness under attack, misconfiguration, or compromise. But why should they? Their goals are business value and customer experience optimization – the hooks that differentiate and delight end users to bring about the birth of unicorns. However, substantial investment to transform ideas to innovation and execution can be moot if customer delight turns to customer distrust in the event of a data breach. Consumers will hesitate to adopt, quickly turn and move on, and the incident may be irrecoverable with heavy toll on the C-suite of the affected entity. Data security thus must become part of the Dev Ops fabric and process, in the CI/CD pipeline – and by default, not the exception, nor bolted on after it’s too late.
In the enterprise space over the last decade, seasoned developers and engineering managers who have lived through painful data breach incidents and bought into evolved OWASP principles and MITRE ATT&CK situational awareness weave security and risk mitigation into software development lifecycles and operational process. Seasoned enterprise security architects with responsibility to bring ‘state of the art’ to the table in new Data Engineering strategies may also be well versed in powerful defense techniques like tokenization, data-centric encryption, and Zero Trust architectures. Unfortunately, this level of experience isn’t pervasive. According to the recent ISC2 report, even with COVID and changes in hiring and focus on digital transformation, the cyber security industry still needs a staggering 89% growth in skilled practitioners to meet demand – a backlog of over 3 million skilled workers. Severe lack of cyber security skills, combined with increasing complexity of infrastructure in transformation and data engineering projects means organizations must adopt security tooling and governance that solves the risk and privacy issues while being immediately consumable without needing even more specialists. 2021 is going to amplify this problem, and the breach noted above is merely the thin end of the wedge.
This case is precisely why modern data security tooling that doesn’t require a PhD to integrate, operate and manage is essential for every CISO who’s ultimately the accountable caretaker of personal and sensitive data fueling enterprise growth and agility.
If this sounds like a familiar challenge, and your transformation projects have data leakage risk concerns you’d like to avoid, don’t hesitate to get in touch.