Data Security Strategy Beyond Access Control: Data Encryption

Lulu Cheng - Aug 29 - - Dev Community

The cost, frequency, and scale of data breaches continue to rise year over year. According to the IBM 2023 Cost of a Data Breach Report, the average cost reached $4.45 million in 2023. The number of breaches and the amount of exposed records have also increased, with over 22 billion records compromised in 2023 alone, as highlighted in the IBM Security Data Breach Report. So, what are companies doing to improve their data security?

Common Data Security Vulnerabilities

Misconfiguration

Cloud storage or databases are left publicly accessible due to simple mistakes. For example, AWS S3 bucket misconfigurations have led to numerous data breaches, exposing sensitive information without detection.

Weak Authentication

Weak passwords or the lack of multi-factor authentication (MFA) make it easier for attackers to gain access. After a recent breach, Snowflake implemented mandatory MFA to enhance security.

Unencrypted Data

Data that isn’t encrypted during transit or at rest is fully exposed and readable if accessed by unauthorized parties. In the healthcare sector, more than 385 million healthcare records
have been exposed in data breaches since 2009, many of which could have been prevented with proper data encryption.

Insider Threats

Misuse of privileged access can lead to severe breaches, as seen in the Capital One breach in 2019. A former employee exploited a vulnerability in Capital One’s cloud infrastructure, exposing the personal information of over 100 million customers.

Unpatched Software

Systems that aren’t regularly updated are vulnerable to attacks that exploit known security flaws. The WannaCry ransomware attack in 2017 is a good example of how regular software updates could greatly reduce the risk of data security incidents.

Mitigation Strategy for Data Security Vulnerabilities

Regular Audits and Monitoring

The most foundational step in mitigating data security vulnerabilities is conducting regular security audits and monitoring. Implementing tools to detect unusual activity, misconfigurations, or potential breaches in real-time enables teams to take quick action before issues escalate.

Data Deletion

Deleting sensitive data is often the quickest way to reduce risk when a vulnerability is detected or when data is no longer needed. Short-term, this approach is highly effective because it immediately removes the data from potential exposure. Long-term, it doesn’t address the underlying vulnerabilities and may only provide a temporary fix. Additionally, this strategy can be constrained by legal, compliance, and technical requirements.

Additional Access Control

Strengthening access controls is a common mid-term solution to prevent unauthorized access. This can include implementing policies like no public buckets by default in S3 or mandatory multi-factor authentication (MFA), as seen with Snowflake. Short-term, access control can be highly effective in enhancing security by limiting who can access sensitive data. Long-term, its effectiveness may diminish if not consistently maintained or updated. Inconsistencies in implementation across different platform vendors (like Snowflake, Databricks, and AWS) can create complexity, slow down development velocity, and sometimes reduce the effectiveness of access controls as a security measure.

Data Encryption

Encryption is a comprehensive long-term solution that protects data even if unauthorized access occurs. Short-term, encryption is highly effective because it immediately secures data, ensuring it remains unreadable without the correct keys. Long-term, encryption is the most effective approach because it provides ongoing protection as long as the keys are properly managed. Additionally, integrating encryption into your tech stack opens up the possibility of implementing advanced security features such as tokenization, data masking, and deterministic encryption, which further enhance data protection.

Comparison of These Three Approaches

Approach Short-Term Effectiveness Long-Term Effectiveness Level of Effort Challenges
Data Deletion High—immediate risk reduction Low—only a temporary fix, doesn't address root vulnerabilities Minimal Legal, compliance, and technical constraints
Additional Access Control Moderate to High—effective in preventing unauthorized access Medium—can degrade over time if not consistently maintained or updated Can slow down development velocity Inconsistent implementation across platforms; may require regular updates
Data Encryption High—protects data even if accessed High—ensures long-term data security; foundational for advanced features like masking and tokenization Significant engineering effort Requires re-architecting; technical complexity, but enables advanced security features

Advantages of Data Encryption

Encryption simplifies system architecture by reducing the need for complex access control, data governance, and extra security features on vendor platforms and developer tools. By protecting data at the core, organizations can spend less time and money on creating and dealing with extra approval processes and more on ensuring sensitive information is always private and secure.

Long-Term Simplification and Reliability

Data encryption encourages simpler architecture over time by reducing the extra security features needed across individual vendor platforms, internal processes, access control policies, governance, and monitoring. This not only enhances long-term data security but also makes it easier to keep implementation simple and maintain compliance across an organization’s infrastructure and overall security.

Keyper: Jarrid's Data Encryption SDK

Keyper is designed to make encryption and security management straightforward and accessible across your organization.

Configuration-Driven

Keyper comes with an easy-to-understand setup, allowing non-engineering functions—such as security, compliance, and legal teams—to collectively decide on access and encryption rules. Configurations can be applied by engineers directly using the SDK. This ensures security decisions are clear and aligned across all teams without additional overhead between engineering and security.

Easy Integration with Existing Tech Stacks

Keyper is designed to be easily integrated with existing CI/CD workflows and tech stacks at storage and consumption points. This allows organizations to enhance their data security without disrupting existing processes or requiring significant changes to their infrastructure.

Complementary to Existing Security Frameworks

By adding encryption to your existing security framework, Keyper improves the overall data security posture of your organization. It ensures that sensitive data remains secure even if other security measures are compromised, offering better protection and strengthening your existing access control and approval processes.

Summary

Data breaches are becoming more frequent and costly. While data deletion and access control offer short-term protection, they fall short in the long run. Encryption provides lasting security by simplifying system architecture and reducing reliance on complex controls. Jarrid’s Keyper make encryption simple using the existing tech stacks, ensuring data remains secure even if other measures fail.

. . . . . . . . . . . .