In the annals of massive, potentially game-changing data breaches, this summer’s JPMorgan Chase breach, which the New York Times reports has “compromised the accounts of 76 million households and seven million small businesses,” may be one of the most significant, despite the fact that thus far, the only information that appears to have been stolen has been accountholder contact information and no known fraud incidents have come to light. The story is still developing, but already offers several important data security lesson to both the banking and retail sectors and the enterprise at large.
The lesson is this: complexity breeds vulnerability.
The hackers appeared to have obtained a list of the applications and programs that run on JPMorgan’s computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application, in search of an entry point back into the bank’s systems, according to several people with knowledge of the results of the bank’s forensics investigation, all of whom spoke on the condition of anonymity.
The more applications, the more programs, the more services, and the more entry points an IT environment contains, the more chance there is of a successful intrusion. Infrastructure and application security are complex, moving targets, after all. Frequently, a change in one area may lead to a conflict or outright failure in another, and the more complex the overall system, the easier it is for such issues to arise and be overlooked. This holds true even in organizations with large security budgets and sizable, well-organized IT teams.
Given the inherent weaknesses of infrastructure and application security technology, it’s becoming increasingly clear that a data-centric security strategy, involving strong and persistent encryption of the data itself is critical. If you need to protect your data, in other words, then protect your data. Data encryption that sticks with the data no matter where it goes, paired with strongly secured encryption keys, will go a long way towards making sure that even if infrastructure or applications are compromised, the data itself remains unreadable and unusable to those who steal it.
Data encryption also goes a long way towards solving the problem of inherent vulnerabilities that are outside of organizations’ control. When it comes to credit card numbers, for example, the US lags far behind on the security curve. No significant advances have been made in magnetic card stripe technology since the 1960s, for example, and even when the transition to smart cards happens next year, that is still a twenty-year-old technology. Meanwhile, the hackers are getting smarter about stealing what’s on those cards. Until advances are made that enable better protection, most likely from the front end and consumer perspective, it is up to organizations to make their best effort to protect the data once they receive it.
As JPMorgan Chase and the other dozen or so financial institutions now said to have also been attacked show, everyone gets in trouble. Even JPMorgan Chase’s $250M annual security budget couldn’t stop the breach. So with that mind, focus on what matters: the data that you don’t want to see stolen.
What do you think of the JPMorgan Chase breach? Tell us your opinions in the comments.