If you follow us on Twitter (if you don’t, you can fix that now) you’ll notice that we post about data security breaches hitting the internet community. We don’t do it to be malicious or gloat about their failures, but to increase awareness beyond the core community of security professionals. Keeping computer systems secure is a complex challenge, and few people are well-versed in its many facets and subtleties. We deal with security every day with our customer identity and access management platform Passport, so we encourage as much discussion as possible to hear current trends and risks. We hear all the time “We just need to lock it down” or even worse “See? You can’t stop cyber breaches.” Fortunately, neither of these are true.
Data Security Is Complex
The reason data security is difficult is threats come from a wide range of sources. Some industry professionals will use a metaphor comparing system security to putting a strong lock on the front door of your house, but that doesn’t even come close to encompassing the complexity of the situation. Security professionals need to defend against:
- Hardware attacks that take advantage of vulnerabilities in routers, processors, equipment and connection pathways
- Firmware attacks that exploit the core functional code of our computers and devices
- Software attacks that invade the sites, tools, and applications that allow us to communicate and interact
- Social engineering attacks that focus on the most easily targeted access point of all: the people using the system
If we wanted to make the house metaphor accurate, we’d have to include doors, windows, family, guests, friends of guests, furniture and appliances, contractors and service professionals—basically everything, everyone and anything that gets close to your house. Plus, we’d have to mention that there are always thousands of people trying to find a way to break in every moment of every day. This is just the beginning of the challenges a security professional has to consider.
And it gets worse. What if you had to worry about the locks on your neighbor’s doors? With the explosion of cloud-based and multi-tenant services, security pros need to think about how their systems can be compromised by sharing multi-tenant resources. (Read here for more information about single and multi-tenant systems.) Not only that, hackers are leveraging advances in processing power and computer AI technology to build an ever-evolving set of exploits and attacks.
If it’s not your primary job, it’s not easy to stay ahead of the variety of possible hacks. With Passport, we are constantly refining our codebase to handle increasingly sophisticated challenges and work with the security-developer community to stay on top of the most recent exploits. We even do our own research—in 2016 we hosted a hack challenge for the community to take their best shot. We were not disappointed. The talented team at Polynome successfully breached the security on our testing server, illustrating how creative and detailed an attack can be.
Five Recent Failures
Fortunately for us, we were just doing research. The following companies weren’t hosting a hack challenge. They were going about their day and serving customers when their security was breached and their data compromised. Notice that some of these were attacks on systems they owned, while others came through a third-party partner that wasn’t focused on data security. Others were just neglectful in their data management practices. No matter the cause, their data is compromised and they must deal with the consequences.
- Delta Airlines, Sears, Kmart, and BestBuy are all victims of the same multi-tenant system breach.
- Bug exposed data on millions of Panera customers through their loyalty program.
- Another 5 million customers’ data stolen from Saks Fifth Avenue and Lord & Taylor.
- Under Armour says 150 million MyFitnessPal accounts breached.
- I can’t even keep up with the details Facebook’s data issues so here’s just one to start with.
Data Security Is A Full-Time Job
The point of all this is that system security and data privacy are a full-time job and SHOULD be a high-priority for every organization. Unfortunately, it’s not easy for large companies to defend against cyber threats, and can be even more difficult for startups and small- to medium-sized companies with more restricted time and money. Every company must balance their resources to protect against the most probable threats, and be ready to address any issues that arise. Sometimes it works out and they never have any problems. Other times there are failures at the worst possible time impacting users, punishing the company’s reputation, and costing millions of dollars. (According to IBM, attacks specifically focused on locking critical data and collecting ransoms cost firms more than $8 billion last year.) Additionally, with the GDPR becoming enforceable this May there are substantial risks of legal violations and monetary fines. There is no question that data security and privacy will be a prominent issue in the coming years, and companies should start preparing right away.
Where Do We Start?
A question we hear frequently is “With all the possible issues, where do we start?” The current best answer is to balance your available resources against the most common threats and get the most secure system you can afford. Incorporate security considerations into your decision-making process, and think of the short- and long-term risks.
For example, a component that is common in almost every application is identity and access management. At its most basic, this is the registration and login process and, according to security experts, one of the most vulnerable to attackers. Hackers often get their first entry into a system through a compromised user identity or weak validation process, and from there are able to access the rest of the system’s data.
Frequently, the development of this highly-targeted access point is assigned to a junior developer with little to no experience in security. Since it is not a “revenue generating” component of the application, it is considered not worth the time of the senior application engineers who focus on core components. This creates an immediate risk for any business. Inexperienced developers building the one part of the system almost guaranteed to be attacked by experienced hackers with their most refined techniques. Clearly a recipe for disaster.
One solution to this front-line risk is Passport, our flexible and secure customer identity and access management platform. Easy for any developer to install and activate, Passport allows an application to have a powerful user management system without investing extensive hours of senior developer time. Our UX and security team have put hundreds of hours into Passport to provide a product that is simple for customers and secure for one to one million users and beyond. By using Passport, a company can eliminate a severe security risk from their application while saving valuable developer resources.
Clearly this is a self-serving example, but the basic premise stands: Whether selecting identity management, cloud servers, or payment processing, data security should be considered early in the planning process. If you decide to build in-house, make sure your team understands the complexity of security needs and plans to continue revising the system to keep up with evolving exploits. If you decide to use a third-party as a technology provider, ask them how they address security issues and stay current. While a system failure may lose them a customer, you can lose your business and reputation. Consider data security early in your planning process and hopefully you can avoid a costly day at the breach.
Learn More About Passport
Passport is designed to be the most flexible and secure Customer Identity and Access Management solution available on the market. More than a login tool, we provide registration, data search, user segmentation and advanced user management across applications. Find out more about Passport and sign up for a free trial today.