- Security TWENTY
- Women in Security
Does the cloud really live up to its security expectations? asks Ian Smith, Founder and CEO of Gospel Technology, a blockchain product company.
Having worked in the data management industry for nearly two decades, I have noticed that “the new data culture” promised by the introduction of cloud technologies hasn’t quite taken off to the level promised to the enterprise market. As the cloud model has matured from basic hosting all the way up to full services, a huge element of competitive uniqueness and identity is the data that is generated and leveraged across businesses. Cloud architectural models have evolved from hosted hardware through to sophisticated virtual, multi-tenant services.
In enterprise these models were initially met with scepticism, and we haven’t really yet seen the great leap forward that was predicted in the take up of these services across the globe. Whether that’s cost or cultural reasons, there may also be a genuine and increasingly high profile reason – that of data security.
Enterprises had of course always developed private, purpose built IT fortresses which are secured by isolation and both physical and virtual perimeters. Through perimeterisation came the belief that trust could be obtained within these highly controlled environments. This traditional datacentre model would include scale-up, proprietary hardware orientated architecture where business services were limited to a physical unit. ‘Locking the cabinet’ provided a great deal of comfort against any external threats. However, this model has quickly moved from being an asset to a liability.
Whilst there is no doubt this type of isolation provides a degree of security, modern business no longer happens in proprietary siloed methods. Other business partners, clients and systems are highly distributed, and the idea of centralising is against the modern trajectory of business. We even see a new breed of business and technology ‘cloud native’ which has been built and designed in (and for) exactly this type of hosted, distributed architecture. These agile and fast moving new entrants are global from the beginning and are focused on consumer grade engagement. The ease of use is core to their success.
This modern type of collaborative and sharing mentality means that traditional enterprise has sprung a plethora of ‘shadow’ IT workarounds across its data borders, and in many cases lost control of their vital data assets. Countless examples abound of intercompany and extra-company data sharing that punch holes straight through the “secure” perimeters and make a mockery of the once hallowed silo walls. CSV files extracted and sent across insecure email channels, or downloaded onto a CD and sent on a physical courier to a trusted partner – these are not unusual activities to find somewhere within an enterprise, either with or without official permission from IT owners and certainly going against standard company and regulatory protocols.
This activity isn’t usually malicious of course, it’s simply a necessary way to break the chains on the valuable enterprise data contained within each isolated silo, and to allow efficient and profitable use of that data to maintain a competitive edge over the more agile rivals, or to reduce the pressure on the bottom line. More and more managers are demanding access and availability to data right across their networks, whether that be system data or personal records,to allow them the insight and knowledge to compete.
And that of course is a major driver of enterprises who are taking up the challenge and moving toward digital transformation. It is no longer a question of if, it is a question of when.
But are the traditional data managers right to be cynical? The perceived loss of “control” once the data effectively leaves the confines of your protected environment can be alarming, and has certainly come at a cost for some high profile companies. Practically every week we hear of yet another data breach happening across the ultra-connected digital world that was meant to come with a high level of data resilience. In March this year alone, 74 million pieces of individual data were leaked globally. In May of next year we have the General Data Protection Regulation (GDPR) which will see a company who doesn’t report on a data breach within 72 hours be subject to a fine of 4% of their previous year’s global turnover or €20, whichever is the biggest. No wonder so many IT overseers are quaking in their boots about “releasing” their data to the cloud.
And this is just from external threats, how can you control and monitor what’s happening to the data within your decentralised infrastructure?
So could a new technology be the key to allowing enterprises the freedom they want (and their managers demand) without exposing them wide open to a malicious attack or a leak that could cost them millions in fines? In order to truly have the freedom and agility to act on the data collected, generated and shared within your organisation’s networks, you absolutely have to trust where it is, where it’s been and who or what has accessed it.
Blockchains, or more specifically distributed ledger technologies,are not really a new technology (and you would have to be from Mars not to have heard the hype), but the way they have mainly been used previously has been as the underwriting ledger to crypto currencies like bitcoins. Huge public shared ledgers that mathematically deliver trust in an uncontrolled environment, where the distributed results and grouped consensus is derived to determine the integrity of the absolute result.
As an append-only database technology, every new block of information is encrypted with a part of the previous one, making the historical record of data unchangeable. This builds up into a chain, where if it were even possible to remove a link, this would be identified immediately.
What if that same immutability could be applied across the enterprise to the both its corporate system data and that of the personally identifiable information (PII) that they hold and wish to share, but within a private, permissioned blockchain?
As it happens the underlying principles are perfect for just such a set-up, and a small number of firms are developing these enterprise blockchains: private, permission based ledgers that maintain the consensus architecture and high governance, whilst dropping the unnecessary and energy sapping public computing side.
What’s more, the data logic in the platforms being built upon these ledgers means that highly sophisticated and encrypted methods of authorisation and authentication can be built in, allowing not only consent based distribution of personal information (by the owner), but limited access rights to any such information by any particular sanctioned 3rd party.
Not only would the ledger have a complete immutable record of what has happened to that data, but the software can also completely control who has access, when and what is shared.
It’s early days for such systems, but it certainly seems that distributed ledger technologies could hold the key for finally allowing the de-perimeterisation of data to safely follow the de-perimeterisation of infrastructure into the clouds.