Opinion: Norman Shaw, Founder and CEO of ExactTrak, on the perfect storm of data breaches and how hardware security is the future.
Security has become a mainstream topic. With reams of negative media coverage surrounding data breaches, it’s on everyone’s radar. For the enterprise, policies and practices such as BYOD, IoT, and remote working amplify security as a concern while the fines associated with a breach have escalated it to a Boardroom issue.
Protecting against data breaches has become a priority but organisations must start looking to hardware-based solutions.
The year of the data breach
Huge cyber security breaches at Ashley Madison and TalkTalk brought global media coverage of the problem and how it affects consumers. But the problem isn’t just cyber attacks, as evidenced by the human error breaches at the Dean Street Clinic, Thomson, and the various local authorities that were repeat offenders according to the Big Brother Watch report.
In what could easily be described as the year of the data breach, what was noticeably absent was the debate about how to stop these attacks and what methods would be best for different circumstances.
BYOD, remote working and IoT
Increasing consumer expectation to access information anywhere, anytime has overflowed into the workplace with employees now expecting their employers to have a Bring Your Own Device (BYOD) policy.
This, combined with the proliferation of the Internet of Things (IoT) and remote working has created the perfect storm for the IT department. Security is now one of the highest priorities but most organisations are running to keep up rather than getting ahead of the problem.
The problems with software encryption
Software encryption has traditionally been the most popular security solution because updates can be done remotely by the IT department. It’s always been perceived as cheaper than hardware but that’s not necessarily true as it often means numerous annually payable license fees.
Software encryption can also be complicated or perceived as slowing down the device, which can often lead to users finding a way to disable the encryption. Those that require passwords can also be problematic for the IT department as users choose easy-to-remember passwords, write them down in as easy-to-find place, share them with colleagues and family or simply use the same ones as they do for everything else, including their personal devices and accounts which are often not subject to much or any security, making it easy for hackers to find a way into the corporate data secured by software encryption. There’s also the issue that the software encryption is only ever as good as the security on the actual hardware or OS.
The benefits of hardware-based security
Hardware-based security, contained on the device itself, means that authentication is completed before the operating system even boots up. This makes it especially hard for cyber hackers to penetrate the device.
Previously, hardware-based security was designed as closed systems whereby no code or know-how was shared so it was hard to verify or audit the solution. Now, ARM’s TrustZone technology is bringing hardware-based security into the future by providing an open source platform where organisations can develop a broad security ecosystem through its programmable operating environment.
Trustzone‘s technology essentially creates a separate zone on a chip where organisations can create rules so specific security-related requests can run in these special areas designed for trusted code. This reduces the potential attack surface while the programmable aspect of the technology allows organisations to create security solutions within the ecosystem to address their individual security threats.
It’s not all about hacking
Cyber security and hacking are much reported on but human error remains the number one cause of data breaches. Hardware-based security solutions exist that take control away from the user, keeping it under the strict purview of the IT department that can remotely control whether the user can see the data on the device or not, and track the files that are added, deleted or printed from the device.
Devices such as USBs and laptops can also contain geo-location positioning that can be helpful in locating a lost device and providing a verifiable audit trail. Hardware-based security on devices like this can also allow the IT department to delete the data held on those devices remotely if they are lost or stolen – an incredibly useful tool when the horse has bolted.
Sadly, the remote data delete option of many mobile devices only works about 50% of the time due to to a variety of factors. Of course, many organisations will say it’s okay if a device is lost because it was encrypted but the problem with this argument is that it simply cannot be proved without recovering the device.
Whenever a security solution is deployed, it must address several key themes. Compliancy laws such as HIPAA, PCI and the new EU regulations on data protection must be met. How the solution interacts with the human element must be considered because people will make mistakes.
And of course, security solutions must be deployed taking into consideration the specific security threats of each individual organisation and the open-source TrustZone platform by ARM is leading the way towards a collaborative eco-system which allows organisations to do just that.