Equifax Breach: 143 million identities stolen, 1 lesson to learn…
SaaS and IaaS cloud provider encryption is NOT enough to secure your data.
If you are an American with a credit history, chances are that you are impacted by the latest data breach fiasco, i.e. the Equifax breach. Although data breaches have flooded the news for the past couple of years, the revelation that 143 million consumer records were breached – nearly half of the US population1, is by far the worst!
Why the worst?
Because 143 million consumer identities are lost forever. Sensitive information such as social security numbers, birth dates, addresses and driver’s license numbers can be used by attackers to commit identity fraud in many ways. A stolen credit card can be canceled, but your identity cannot! It is an irreparable damage for your entire life.
So what really happened?
Equifax confirmed that hackers took advantage of an application vulnerability in Apache Struts to access the system and the data behind the application. After getting into the system, hackers accessed the files and databases, and exfiltrated sensitive data to a server they controlled.
One of the main reasons they were able to get access to this data was because sensitive data was left unencrypted, while the application was using it. Think about it, if an application can access sensitive data so easily, so can a hacker, who can gain access to that application. It is as simple as that.
In case of Equifax, the negligence was in not applying the patch in a timely manner. But even if the system had been patched, how would an organization protect itself from zero-day threats and vulnerabilities? You cannot react to something you do not know exists. That is why sensitive data should always be encrypted, even when the application is using it.
Data should always be encrypted, but is cloud provider encryption not enough?
Everyone talks of providing encryption, but not every encryption approach or solution is equal.
An organization can either let a cloud provider application encrypt their data or encrypt data on their side, before it leaves their premises. Many organizations use cloud provider encryption and believe that they have complete data protection. However, most breaches happen when a hacker breaks into the application layer, exploits weak APIs, gets access to credentials and steals sensitive data.
For example, take a popular SaaS application like Salesforce. Salesforce Shield encryption is limited to data-at-rest in their database, and it does not protect data in-use, when it is being processed by the application. Hackers can easily exploit a published or unpublished zero-day vulnerability of dozens of open source modules used by Salesforce (Java, jetty, Gin, Guice, Jackson, Apache, ext.js, etc.) and then access all your data. Again, it is important to note if the Salesforce application can see and use all your data in the clear, so can the hackers, after exploiting a vulnerability in their module. The Equifax breach is a glaring example of how easily application vulnerabilities can be exploited to steal data even when it is encrypted by the cloud provider.
To answer the question, Yes, cloud provider encryption is not enough. It just gives organizations a false sense of security and does not protect them from various threats like account hijacking with stolen credentials, cloud providers malicious insiders, insecure APIs, forced disclosure and surveillance.
So what is the right approach to completely secure my data?
In a quest to stay ahead of adversaries, we established that organizations need to ensure they take the right approach to protect sensitive data.
Key ownership is the second piece of the puzzle. You need to have exclusive access to your encryption keys. How much data security can you truly get if a SaaS application provider holds onto both your data and your keys?
Some of Equifax’s data was encrypted in AWS. However, Equifax decided to keep the keys along with the data, enabling the hackers to get access to both the data and the keys.
Even from an industry best practice perspective, key management should be separated from the cloud provider hosting the data, as it provides the most effective control and protection against various threats. The best way to gain control over your data, is to encrypt it and retain sole access to the key. Use end-to-end information protection. Nothing less is acceptable.
“Encryption that follows with the data no matter where it goes, paired with strongly secured encryption keys that are retained by the customer, will go a long way towards making sure that even if applications are compromised, the data itself remains unreadable and unusable to the bad actors,”
– Pravin Kothari , CipherCloud founder and CEO.
For all these reasons, end-to-end information protection is the most effective cloud data protection strategy. When you encrypt your data before it leaves your premises and retain exclusive control of the encryption keys, you prevent hackers from misusing it.
So, in the case of Equifax breach, the 143-Million-dollar question or maybe even 143-Billion-dollar question (only time will tell) is will we learn the lesson? Will we stop relying solely on SaaS and IaaS cloud provider encryption to secure our data?
- Attend the webinar: 3 Lessons from the Equifax Breach.
What you can do to protect your business.
1 Hackers Accessed The Personal Data Of 143 Million People, Equifax Says
Colin Dwyer – http://www.npr.org/sections/thetwo-way/2017/09/07/549296359/hackers-accessed-the-personal-data-of-143-million-people-equifax-says