Data Breaches and Penalties

Kim Chen Bock

In the continuing assault on data, there’s little relief in sight. For instance, Ponemon’s Cost of a Data Breach study calculates the global average cost of a data breach at $3.86 million-a 6.4 percent increase over last year’s statistic.[i] The average cost for a single breached record containing confidential information is $148, a 4.8 percent increase from the previous year. Meanwhile, the 2018 Trustwave Global Security Report paints a sobering picture regarding top intrusion methods, targeted industries and geographies, and frequent vulnerabilities associated with applications databases and networks.[ii] If those statistics don’t convince you of the growing threat, an exploration of Privacy Rights Clearinghouse’s Chronology of Data Breaches certainly will.[iii]

Governments bolster regulations with penalties

Every organization strives to keep data secure. However, in light of the frequency of successful cyberattacks and the often less-than-forthright acknowledgment of such attacks by major organizations, governments have stepped in to implement data processing and privacy regulations which impose severe penalties for violations. Such regulations are designed to force organizations to up their game regarding cybersecurity. A few examples convey the gravity of the penalties:

  • European Union’s GDPR is one of the most stringent of these new regulations. Organizations may incur fines of up to €20 million (approximately US$23 million) or 4% of annual global revenues for violations.
  • Canada’s PIPEDA can impose fines up to C$100,000 (approximately US$77,000) on organizations that knowingly fail to report data breaches to the Office of the Privacy Commissioner of Canada (OPC).
  • Australia’s Notifiable Data Breaches (NDB) scheme imposes fines up to A$2.1 million (approximately US$1.5 million) for failure to notify the Australian Information Commissioner as well as the individuals affected.
  • Inspired by the GDPR, Brazil is moving forward with a Personal Data Protection Regulation (LGPD), which is expected to take effect in early 2020. Noncompliance can result in fines of up to two percent of gross sales, with a limit of R$50 million (approximately US$12.9 million) per violation.

Although these regulations provide ample time for organizations to prepare, the complexity of contemporary IT environments presents significant challenges, particularly for organizations operating globally. Rapid migration to cloud environments and a burgeoning digital economy-the IDC predicts 50% of global GDP will be digitized by 2021-create new security challenges in managing the ever-growing volumes of data.

Organizations respond with investments in cybersecurity

Attaining and maintaining compliance with country-specific data protection regulations add to the complexity. Financial penalties like those noted above compel global organizations to prioritize cybersecurity. Given the complexity of IT environments distributed globally-the majority of organizations contract with multiple cloud providers for services-is there a baseline strategy to reduce the risk of data breaches and incursion of penalties, regardless of location or cloud environment?

Encryption is a bedrock data security strategy

Data encryption is a bedrock data security strategy, providing byte-level security. Encrypted data remains useless ciphertext without access to encryption keys. The challenge, however, is efficient management of encryption keys when encrypted data is stored across multiple cloud environments and is potentially subject to data sovereignty regulations.

The Hardware Security Module (HSM) method is not ideal for multicloud environments

Hardware Security Modules (HSM) are a proven means of protecting encryption keys and have proven their worth in on-premises data centers. With the move to the cloud, however, organizations relinquish responsibility for selecting and provisioning HSMs. That responsibility is assumed by the cloud provider, who hosts the HSM of their choice in their own data centers. Organizations who contract with multiple cloud providers must then use different encryption key management tools for each provider. At a time when cybersecurity skills are in short supply, organizations should seek simplicity, not greater complexity, in managing cybersecurity.

Is a Key Management Service (KMS) a better alternative?

Alternatively, several cloud providers offer Key Management Services (KMS). While these don’t require HSMs (though some providers also include HSMs for an added level of key protection), they have the limitation of providing encryption key management only within the cloud provider’s environment. Here again arises the issue of complexity-this approach demands a different KMS for each of the cloud providers you work with.

HSM as a service is centralized and cloud-neutral

To reduce the complexity of encryption key management in multicloud environments without diminishing security, HSM as a Service provides HSM-level security without the cost and overhead of hardware selection and provisioning. HSM as a Service simplifies the challenges of encryption key management in multicloud environments while providing additional levels of security in the following ways:

  • Provides a single, centralized, cloud-neutral method for managing encryption key lifecycles-creation, rotation, import, export and deletion, for leading cloud platforms such as AWS, Azure, Google, IBM and Oracle.
  • Can be located at the digital edge to comply with in-country data sovereignty regulations.
  • Fault-tolerant, highly available, and possessive of both cloud scalability and low-latency to support the most demanding processing volumes.
  • Keys are maintained in an encrypted database when not in use. When in use, keys are only available inside a secure enclave to ensure key material is never accessible in plaintext to any software component.
  • Provides an added level of security by maintaining encryption keys separately from the data they encrypt. With this strategy, a successful breach of the data repository renders only meaningless ciphertext.

Given the challenges of effectively securing globally distributed data in multicloud environments and the consequential economic penalties for failure, organizations need to adopt consistent enterprise strategies to ensure adequate protection, compliance with country-specific regulations and simplicity in management. HSM as a Service addresses these requirements without burdening already-stretched data security organizations. HSM simplifies encryption key management without sacrificing security.

Interconnection Oriented Architecture (IOA) avoids internet vulnerabilities

While data encryption is a foundational component of cybersecurity, it alone does not guarantee immunity to data breaches. Connections among cloud services, applications, networks and carriers are points of vulnerability when those connections are provided via the internet. These vulnerabilities can be eliminated by bypassing the public internet and employing an Interconnection Oriented Architecture (IOA) that offers private network backbones and cloud interconnection control points. The private network eliminates intrusion risks associated with internet connections; the IOA also provides a set of security controls to examine, segment, inspect, filter, direct and encrypt incoming and outbound traffic in real-time. These control points reside in interconnection hubs, which can be geographically dispersed to bring data and apps closer to user populations.

In today’s world of damaging cyberattacks and stringent regulations, the need to protect data only increases. When combined, HSM as a Service and Interconnection Oriented Architecture help enterprises reduce the risk of data breaches and any associated penalties. Enterprises should look toward these security solutions to streamline and simplify the complicated matter of data protection while greatly reducing the joint risks of breaches and penalties.

[i] Ponemon, Cost of a Data Breach Study, 2018

[ii] TrustWave: Global Security Report, 2018

[ii] Privacy Rights Clearinghouse, Data Breaches, 2018

Kim Chen Bock Product Marketing - Head of Emerging Services - Data, Security, Applications