The way businesses think about risk and reward have historically made it hard for organizations to prioritize security, but businesses are finally getting the message. Studies like the Ponemon Cost of Data Breach report have helped the security industry frame cloud security risks in terms of ROI, and not just risk mitigation. Saying extensive encryption might prevent a major breach can seem abstract — telling executives that they’ll save $16 per record compromised or $385,000 per breach makes it easier to understand the benefits.
This growing awareness has driven a cloud security spending CAGR of 28%, to a predicted $3.5 billion by 2021. That’s still a relatively small part of cloud spending — Forrester predicts total cloud services spending of $236 billion by 2020 — but you’d still expect it to drive a decrease in cloud security breaches.
However, the cost of breaches is still growing. A Cybersecurity Ventures study predicts that the annual global cost of cybercrime will double from $3 trillion to $6 trillion between 2015 and 2021. In the United States, the Trump White House recently continued a cyber security state of emergency declared by President Obama in 2015, and it’s likely that emergency will become the new normal. And while we make progress against older cloud security threats, newer attacks like business email compromise attacks and botnets targeting IoT devices will inevitably gain traction. Why aren’t we making more progress?
Cyber Security Hasn’t Caught Up With Technology
With all the concern about hackers, it’s easy to forget how new cloud security risks are. The first computer worm was only released in 1989, and throughout the 1990s, hacking was a hobby, not a business. Viruses caused real damage and data loss, but they weren’t designed to hijack your bank account or steal your identity. It wasn’t until the late 90s that companies like Microsoft started to prioritize cyber security, and through much of the 2000s, hacking wasn’t seen as a major threat to ordinary users — save the risk of data loss. In fact, the World Privacy Forum report on medical identity theft was groundbreaking when it was released in 2006.
We’ve made amazing progress in such a short timeframe. Today, more than half of web traffic is protected by TLS encryption, cloud vendors have developed automated practices to protect their infrastructure, and everything down to the network architecture can be optimized for security.
But in some pretty fundamental ways, our approach to security hasn’t advanced much at all. We still focus on guarding infrastructure itself to keep the bad guys out. Traffic inside is trusted (although this has been changing), which means it’s hard to spot a hacker once they’ve slipped past the gate. This approach made sense when computer networks were isolated islands, and work was done onsite. You could assign passwords, screen workers at the door if necessary, and be reasonably confident that no bad actor was going to get in. It would be very hard for someone with malicious intent to sneak in, steal a password, and gain access to your network.
But the walls aren’t real anymore. Your workers use their own devices, which have apps you don’t control, and send data across the open Internet. Just logging in through an unsecured router in a coffee shop, clicking an infected link, or having a laptop stolen could be enough to compromise enterprise data security. And your partners, app providers, and customers all have access to your landscape. Even if a hacker can’t get in through weaknesses in your network or one of your employee accounts, they can likely find some way in.
It’s not just a matter of scale — the cloud is a completely different animal than early networks. Every device can potentially connect to any other connected device. It’s like the difference between guarding a grain silo and protecting an entire agricultural region.
Addressing Cloud Security Risks, But Not Their Causes
It’s easy to see the benefits of a new technology. It’s much harder to anticipate its risks or how it can be exploited. There’s been a lot of interesting work on why the founders of the Internet didn’t see its security hazards, but how could they have? When you’re part of a small community just learning how to network computers together, you’re probably not going to be able to anticipate all the problems of securing a network of 3 billion users with computers far ahead of your current technology. The particulars are interesting, but the mistakes were more or less inevitable.
The problem is, we’ve never gone back and systematically applied what we’ve learned about IT security to the Internet as a whole. Even for new products, privacy by design is the exception rather than the rule, as we can see by all of the security incidents around IoT. Unless security is your product, it’s usually more profitable to focus on bringing the product to market quickly, and treat cloud security risks as an afterthought.
And for the security market, it’s much easier to cash in on treating the symptoms than curing the disease. SIEMS, Security as a Service (SaaS), security intelligence, network hardening, and countless other products compete in an endless arms race against hackers and government surveillance. That’s not necessarily an indictment of the security industry — organizations do need tools immediately to fight present cloud security threats. However, it’s an approach that will never solve the problem.
What Would It Take to Fix Cloud Security
There’s no such thing as a perfect solution. There will always be cloud security risks. The best we can do is to give individuals and organizations the power to protect their private information, and quickly detect and mitigate attacks. Right now, you don’t have that power over most cloud data. If a hacker intercepts your data traveling across the Internet, a partner loses control of your IP, or an unsafe app puts your private information at risk, you won’t know.
To move beyond plugging holes, we need platform-independent, data-centric security and access control. In other words, we need a system that allows users and organizations to control access to their own data, wherever it goes. From a centralized console, users should be able to specify who can access documents, emails, PDFs and so on, and quickly rescind access if that data may have been compromised.
Platform-Independent Security For Email: The First Step
We’re not there yet, but we’ve made some important progress towards that goal for email and file encryption. Virtru users can send secure email and attachments to any email address, allowing recipients to read emails, download attachments, and respond securely without installing Virtru or signing up for an account.
Virtru also increases visibility and control of sensitive data. Read receipts let users and admins track exactly who has received, read, or forwarded an encrypted email — even after multiple rounds of forwarding. Users can disable forwarding, set time limits on messages or rescind them outright, revoking access from recipients. Virtru PDF watermarking takes access control a step further, allowing recipients to read documents while preventing them from downloading. That way, they can’t keep a local copy and continue to use it after access has been revoked.
It’s a major step forward for secure communication — a low-cost email solution that doesn’t limit you to communicating with others on the same platform. But email and file encryption is only the beginning.