Try Controlling the “Blast Area” In a Breach
- By Lachlan Colquhoun
- March 20, 2023
Data has been called the “new oil” for some years now. But despite everything, we are still experiencing oil slicks and spillages.
Corporate reputations have been burned, brands destroyed, and many individuals' lives upended due to increasingly sophisticated cybercrimes, with bad actors often one step ahead of the game.
While many hacking attempts are stopped in their tracks, enough succeed for it to be one of the most important and recurring issues for organizations that increasingly need to collaborate, share data, and store it for compliance purposes.
In Australia, major telco Optus is still cleaning up after itself after a massive September 2022 data hack exposed the personal data of 9.8 million Australians, many of them no longer customers of the company. To put it in context, the Optus hack exposed the data of around 40% of the Australian population.
The Australian Government will soon table reforms to data privacy regulations deemed too lax regarding fines and penalties.
Encryption is not enough
In advance of that, Ram Venkatesh – the chief technology officer for data platform provider Cloudera – has been in Australia meeting with customers, many of them in the financial sector, to discuss their data governance.
Venkatesh’s approach is to not look at data as such but at the insights it creates, as this can drive a safer governance approach, particularly in cases where providers are collaborating on data projects with a goal of monetization.
“Sharing data is always a risky proposition almost by design, especially in use cases where you share data across enterprises it gets more challenging,” he says.
“Let’s say you have a credit reporting agency and a bank, and they are trying to collaborate on a use case and bringing two select parts of customer data to do that analysis. You can’t just rely on your data being encrypted and your users authenticated.”
“So the difference between data and insight can potentially be an app”
Venkatesh says data collaborators need to “narrow the blast radius.” This means not only having the required “belts and braces” of security and tracking data more granularly but drawing a distinction between the data and the insights it delivers.
This can lead to a safer approach where insights are shared, but critical data is not.
“Let's say you have a weather data set,” says Venkatesh.
“This might be to predict the weather in Sydney tomorrow at 11 am, and that uses an API. You make an API call; you get a piece of data back, and off you go,” he adds.
“The other option would be to get the data set for the weather and do this on your own. So the difference between data and insight can potentially be an app. An API can report something with limited interactivity, and that reduces the surface area of what you are trying to expose.”
This is not to say that apps and APIs are inherently safer. Other security firms often point out the danger of undocumented endpoints or “shadow APIs,” which are vulnerable.
But if the data which goes into the app is limited to its singular functionality, this can lessen the danger.
Problems can often emerge when internal details are accidentally exposed. In the weather example, the location data for the sensors for the weather calculations can be exposed. Others might be able to determine exactly how the calculations were made, compromising private data that should not be shared.
“So I think that by making sure that you're being very specific about what you choose to share, and the higher level it is, you have sort of fewer unintended consequences of sharing data, and it's also easier to secure an API,” says Venkatesh.
“The other thing about data is once you give somebody a data set, it's theirs. They're going to do whatever they're going to do with the data. The second piece of the breach is about what the entity is going to do with the data, and that's an unbounded set of things,” he adds.
“Whereas if it's an insight, you can choose to say, ‘Okay, I'm only going to expose this piece of the data in a structured way so that even in the event of a breach, that's all somebody can do.’”
Sucking data from silos
In many cases, organizations share consumer data with downstream partners and collaborate to do analysis together.
It’s a model Cloudera has followed in the financial sector, creating a web-based business intelligence application for a banking client that enables the bank’s commercial customers to view key performance indicators about their business, clients and their competition.
The platform sucks in data from silos into the platform, which then analyzes a wealth of anonymized financial and transactional data, including 50% of all national credit card transactions, to support business decisions.
An automated process encrypts and anonymizes data before it’s loaded into the cloud to analyze and visualize KPIs based on customer debit and credit transactions.
Nearly 1,000 customers access the service via an app, tapping into insights crunched in a “clean room” where the controlled data is analyzed.
“Think of it as you've set up a data train rule, and you're inviting a partner to their analysis inside the cleanroom,” says Venkatesh.
“But all of your rules around data sovereignty and data governance continue to apply. It’s about creating shared collaborative spaces that are fully under the control of the data provider.”
Lachlan Colquhoun is the Australia and New Zealand correspondent for CDOTrends and the NextGenConnectivity editor. He remains fascinated with how businesses reinvent themselves through digital technology to solve existing issues and change their entire business models. You can reach him at [email protected].
Image credit: iStockphoto/Ekaterina Bedoeva