Why organizations must take back control of their data
By Dimitri Nemirovsky, Co-Founder & COO, Atakama
Sometimes, what a change represents is more meaningful than the change itself. Case in point is Apple’s recent launch of an advanced encryption suite to help customers keep their data private. Among a handful of new security tools is a feature that expands on current end-to-end encryption facilities, giving users the option to fully encrypt data stored in its iCloud service.
The fact Apple takes encryption seriously should surprise no-one. Apple has long set the standard for data privacy for consumers, with the tech giant’s security measures among the most trusted in the industry. Apple’s record $26.25 billion spend on R&D in its 2022 fiscal year is another testament to its continuing commitment to innovation.
But what has changed is Apple’s approach to the end user. In granting control of the encryption keys that protect customers’ sensitive data to users, Apple has put the user in the driving seat. Now, users can take responsibility for their data even in the event of an Apple data breach.
This represents a sea change in mindsets around data privacy, doubtlessly driven by regulatory pressures, media scrutiny, and the direct financial and reputational losses incurred by organizations facing evolving cyber threats.
But what does this mean for enterprise data security?
There is an opportunity for Apple’s approach to become normalized and adopted as a standard across the enterprise. This approach is pivotal in preparing for inevitable data breaches – and with the right tools, organizations can take control over their encryption keys and stay in charge of their security infrastructure, without relying on a third party.
Third parties: a fast-growing risk to data security
Enterprises and consumers alike have historically relied on intermediaries to secure their data, and there are regulations and standards in place which govern levels of compliance and security. No executive wants to sit in front of a Congress committee investigating a data breach and admit that they failed their compliance obligations. Yet, as the third-party landscape changes, and data-bridges linked by APIs bring disparate third parties closer together, the responsibility for securing data can variously shift from party to party. Responsibility for the security ultimately rests with the owners of the data, and that’s exactly why organizations must have absolute control over the keys that secure their data.
Enterprises, which appreciate the value of the data they own, cannot afford to rely on bulk encryption techniques or centralized Identity Access Management (IAM) solutions to defeat breaches. Even if organizations encrypt data, it is vulnerable to theft if they rely on centralized encryption key management. Organizations must shift from locking away their critical data in a centralized, third-party-owned vault along with everyone else’s data. Recognizing that securing the perimeter is just one aspect of securing the data inside it, firms also need their own safety deposit box within the vault – and only they should have access to the key. This will empower organizations to control their data and better protect themselves.
Hacking is not a question of when, but how often
There has been an alarming rise in ransomware breaches globally, with attacks against organizations up by 13% in the space of a year. It’s a reminder that determined cybercriminals will stop at nothing to access, steal, and ultimately leak data for financial gain.
It is no longer a question of if an organization is going to be attacked. It’s not even a question of when – organizations now need to consider how often they will be attacked. Any organization that fails to embrace an assume breach mindset is setting itself up for catastrophe.
Notwithstanding the traditional problem of organizations focusing on keeping threats out via IAM and thinking that nothing can be done to secure data from bad actors already within the perimeter, organizations have no excuse not to seize control over their encryption keys. Unsurprisingly, companies which have been hacked take securing data within the perimeter much more seriously.
But while Apple is making strides to empower the consumer, the enterprise world continues to lag behind. Few organizations are taking advantage of Bring Your Own Key (BYOK) capabilities that enable them to manage their own encryption – often this is due to complexity. Administering keys is not a simple task, it’s far from frictionless and there are significant penalties, including permanent data loss, for making mistakes. Even the most sophisticated entities can get tripped up by key management, as the recent AWS security incident demonstrates.
Organizations need new tools to control their data, independently manage their keys, and strengthen their defenses in the face of growing security threats. The latest advances in multifactor encryption eliminate the reliance on third parties and IAM for data protection, protecting organizations from data exfiltration by empowering them to secure their critical information on their own.
Conventional encryption relies on centralized keys and places a heavy reliance on user credentials and identities, leaving organizations vulnerable to mass exfiltration of data as soon as a user is authenticated. Encryption on its own doesn’t provide any meaningful level of defense unless it is created independently from the centralized access management system that the attacker has already breached.
With multifactor encryption, data at rest is encrypted using AES-256 keys. A unique key is generated for each object and then automatically fragmented and distributed across physical devices, eliminating central points of attack and central points of failure. Utilizing this approach, bad actors find that they are in a vault which requires keys that they can’t access.
For users, decryption is frictionless – with just a few clicks on a file, a user can approve a notification prompt on a mobile device, and policies can be designed to map organizational workflows to provide automation that ensures security while granting users the agility and flexibility to work with documents seamlessly. This allows organizations to maintain complete control of their encryption, without falling into the common trap of sacrificing data accessibility for data security.
Flexible deployment gives organizations the freedom to secure their data in the way that best suits their environment, offering unrivalled data protection even when rules-based access controls fail and facilitating innovation and productivity.
Decentralized multifactor encryption transforms the way enterprise data is protected, putting organizations in the driving seat of their own data security by giving them full control over their most sensitive assets.
About the Author
Dimitri Nemirovsky is the Co-Founder & COO of Atakama. Dimitri holds BBA and MBA degrees from Baruch College and earned his JD from Brooklyn Law School. Prior to co-founding Atakama, Dimitri spent 15 years as an attorney, most recently practicing regulatory and enforcement law at Bingham McCutchen where he represented large financial institutions in high-stakes matters. Dimitri began his career at Merrill Lynch.