Mature Governance Structure Enables Rapid Shift to Data-Centric Security — Privaclave CEO and Founder

(US & Canada) Sid Dutta, CEO and Founder of Privaclave, speaks with Robert Lutton, VP, Sales and Marketing at Sandhill Consultants, in a video interview about how vulnerabilities lead to data breaches, data breach contributors in the cloud era, and the shift towards data-centric security measures.

Privaclave is a data-centric security solution for enterprises.

Speaking of common vulnerabilities within enterprises that lead to data breaches, Dutta states that numerous such contributing factors exist in the cybersecurity landscape.

Delving deeper, he cites the example of the Equifax data breach. He explains how it stemmed from the attackers exploiting a well-known vulnerability in the consumer complaint web portal.

Adding on, Dutta states that it was the Apache Struts vulnerability, which had a patch available as of March 2017, but Equifax failed to pass it. Two months after the patch was made available, it allowed attackers to explore the vulnerability to gain entry and move from the web portal to other internal servers.

The next factor in the breach was the issue of network, or micro-segmentation, that enabled attackers to navigate across the network, says Dutta. After getting inside, they found usernames and passwords stored in plain text, which gave them access to over 50 databases containing sensitive personal data of approximately 143 million U.S. citizens.

Moreover, Equifax failed to implement proper data obfuscation, encryption, or tokenization, says Dutta. While some databases might have used data encryption at rest, it was not effective as the attackers masked themselves as authorized individuals.

They were careful enough to not exfiltrate the entire data at once, as they gradually did it to avoid traffic spikes. Unfortunately, Equifax failed to catch this, as the TLS decryption certificate had expired and was not renewed, which meant outbound traffic could not be monitored.

Summing up, Dutta states how the breach revealed multiple failures across varied levels in the organization. From security protocols, patch management, and network segmentation to secret management and machine identity oversight. Notably, even after a considerable amount of time has passed, these factors persist and still play a role in the breaches that happen now, he adds.

Moving forward, Dutta shares that in the current cloud era, there have been increased cases where APIs are left unsecured and exposed. This paves the way for attackers to access backend data.

Furthermore, when data is shared with third-party vendors, vulnerabilities are likely to arise from a weak security framework on the third party’s side. The consequence can be compromised credentials that allow attackers to enter other companies that rely on those vendors.

Among the plethora of data breach contributors, misconfigurations are major ones, says Dutta. For instance, he refers to the exposed S3 buckets on the internet, and if those contain sensitive information, attackers can take advantage of that.

Dutta then mentions the user-centric mistakes, which highlights the lack and need for training, education, and awareness in areas of phishing and social engineering.

When asked to share his observation on how organizations approach resolving vulnerabilities, he notes that the approach varies based on companies’ maturity and readiness.

Speaking from his experience as an advisor, Dutta shares that companies with a solid governance structure covering areas such as inventory, applications, and data, can rapidly move towards data-centric security measures, including tokenization and application-level protection, while persistently protecting the data throughout its lifecycle.

However, some of these measures are often time-consuming, expensive, and invasive. This can be prohibitive for many organizations that do not have the enduring muscle or funding from a cybersecurity perspective.

Most companies, therefore, have resorted to data encryption at rest, along with access controls. Some incorporate multi-factor authentication, while others implement dynamic database masking.

Regardless, most organizations are still figuring out what data they have, which is a big problem, says Dutta. This leads to data discovery and classification initiatives, with companies adopting Data Security Posture Management (DSPM) tools. However, one has to go through the vast diversity of data stores across structured and semi-structured data to find what they have.

The challenge is that even after successfully scanning through, companies are left with a flood of findings that a team has to decipher to understand what needs prioritization. Then, it boils down to applying adequate security controls and reducing residual risk to an acceptable level.

In conclusion, Dutta appreciates the zero-trust mindset of assuming the breach has already happened and working from that perspective. He recalls the words of a security veteran who said that there are two kinds of enterprises, one that has been breached and the other that does not know about it.

CDO Magazine appreciates Sid Dutta for sharing his insights with our global community.