Data Protection with Encryption: Lessons Learned from Capital One
The Capital One data breach that compromised the personal information of more than 100 million people in the US and 6 million in Canada may have been preventable had the credit card issuer taken more care in configuring the firewall used to protect the system from intrusions. The incident only proves how important data protection mechanisms are in the digital world.
According to the FBI, Paige Thompson was allegedly able to break into data stored in the cloud, or remote servers maintained by their third-party provider Amazon, because the firewall was not configured properly to the specifications of the server. That enabled her to access folders of data in Capital One’s storage space. It is still unknown if while she worked at Amazon, she left an opening to penetrate the system or if she knew the configurations enough to enable her to breach the system.
Although they do not believe she used any of the information fraudulently, the issue of security misconfigurations remains top of mind for those utilizing cloud-based services and the relationship between IT and third-party providers.
Provider Security Breaches
It’s hard to tell how well cloud providers are protecting your data. Reading the terms of service will let you know if a company might intentionally use or disclose your data, but it won’t reveal sloppy internal security and a failure to follow security best practices.
Unfortunately, if your organization’s data is compromised, you could be held responsible, even if the provider is at fault. Businesses are required to safeguard sensitive personal information, particularly information governed by compliance regimes such as HIPAA, PCI or GDPR. Even if your cloud provider claims to be “HIPAA compliant,” that doesn’t necessarily protect you or make you compliant.
Lack of Data Encryption
Part of what made it so easy for Thompson to access the information was that the data was not encrypted. Encrypted data storage provides an extra layer of security for your information. If a hacker gains access through an alternate means like in the Capital One case where she claimed to use a special command to extract files in a Capital One directory stored on Amazon’s servers, they won’t be able to read it.
Encrypted cloud storage doesn’t come standard with most SaaS business software such as Dropbox, Office 365, and Google Apps (now known as G Suite). Many services encrypt data in transit — the information flowing between your computer and the cloud service — which is a great start. However, this protection is usually based on SSL/TLS encryption, which is vulnerable to attacks.
The cloud has changed IT security forever. You can’t just wall in your data with firewalls when your data is scattered all over the planet. You need a combination of layered security for your primary, secondary, and archival data including strong data protection with encryption. Those layers will also include protections from both external and internal intrusions or malicious actors.
Thrive Can Help
At Thrive, we’re working hard to make cloud solutions even more secure. Our Veea