- January 25, 2023
Coming Security Trends in 2021 – What's Ahead
- Bill Tolson|
- February 4, 2021
It's that time of year again where industry leaders and pundits alike preview the coming year to suggest which new or continuing trends will dominate the technology markets.
With the continuing explosion of cyber and ransomware attacks, as well as the changing landscape of data privacy regulations around the world, I thought it would be a good idea to look at current and emerging security-related trends. I’ve focused on not only data or information security, but also network and cloud security issues that customers, analysts, and industry pundits have highlighted as key issues that must be addressed if an organization wants to keep up with the ever-changing cyber-threats environment. As a reminder, the benefits of staying current with on-premises and cloud data and network security requirements include reduced risk of privacy law non-compliance, decreased internal and external IP theft, lowered cyber-liability insurance premiums (at a time when we’re seeing insurers imposing tougher underwriting, pushing for increased rates, and trying to limit Ransomware coverage – especially for those that don’t have solid controls), and fewer shareholder lawsuits.
The security trends in no particular priority order:
- The continuing practice of working from home will mostly continue even though Covid-19 will cease to be the main driver by the 3rd quarter of 2021. Cyber criminals will continue to exploit inadequate data security and end-user security awareness to propagate malware and companies will face rising security/privacy concerns, including increasing numbers of cyber-breaches, privacy regulation-driven fines, increasing numbers of ransomware attacks, dramatically higher ransom demands, and higher insider PII data theft.
- In the United States, national privacy laws will again be debated but will not be passed into Federal law. Several privacy bills were introduced in Congress in 2020 included The Safe Data Act, The Filter Bubble Transparency Act, The Detour Act, The Browser Act, The Data Protection Act of 2020, and The Consumer Data Privacy and Security Act. A secondary question revolves around bullet #3 below; If a federal privacy law is actually passed, will it supersede all state privacy laws – making life easier for organizations?
- States will follow/lead the feds in introducing state-based privacy laws that, like California's CCPA, will expand their jurisdiction well beyond the given state's borders. The belief is that several states will pass new, more stringent privacy laws that will complicate the privacy law landscape because of a lack of direction from the feds.
- New state privacy laws will more often include the concept of a private right of action (PRA). A private right of action allows a private plaintiff to bring a lawsuit directly against a company based directly on a public statute. Many times, an individual must depend on the state's AG to file a suit.
- State privacy laws will begin to include the concept of a company that collects PI acts as a data or information fiduciary. Data fiduciaries have the overriding requirement to handle/protect a data subject's personal information, first and foremost, in their best interests, not in the data collector's interest. This duty of care involves ensuring that the fiduciary follows their obligations diligently, ensuring that the data-subject interests are not harmed. The New York Privacy Act, in its current form, includes this requirement of data fiduciary.
- New versions of ransomware (2-stage ransomware or double extorsion) will increase their use of copying data before encryption. 2-stage ransomware now copies sensitive data from the target organization. It later uses the threat of releasing it on the internet and reporting the release to government agencies to indicate a privacy violation. The outcome can include privacy law fines that are many times more than the actual ransom asked.
- Ransom demands and payments will continue to rise - the average ransom paid has increased to$1.18 million
- Cloud security in general, and cloud data security in particular, will become even more critical as companies embrace digital transformation as a cost-cutting strategy and to support their primarily remote workforce. As we have seen over the last couple of years, the need to reduce costs while increasing services and capabilities to clients by taking advantage of cloud economies of scale has become an important strategy and potential differentiator. However, adopting the wrong cloud computing platforms can dramatically increase corporate and client risk by putting sensitive data in unprotected or lightly protected cloud platforms – also see point 9 below.
- Enterprises will increasingly reject SaaS-based platforms that involve their sensitive data. PaaS cloud platforms will continue to make gains against SaaS platforms due mainly to infrastructure and data security requirements and the increasing sophistication of cyber-hackers and new versions of ransomware. With SaaS solutions, the client is at the mercy of the third-party cloud provider's lowest common denominator security practices. With a PaaS solution, the client can isolate their infrastructure and customize their security practices and technology to raise their specific security needs.
- On-premises data encryption BEFORE movement to the cloud will become a vital data security requirement. Most SaaS vendors control all aspects of a client's data security (shared security), controlling when client data is encrypted, what encryption keys are used (sometimes shared across all clients), where those encryption keys are stored (usually in the same cloud), and who has access to the keys from within the SaaS provider's organization.
- Zero trust architectures will dominate. A zero trust architecture treats all users as potential threats. It prevents access to data and resources until the users can be authenticated appropriately, their need verified, and their access authorized. In reality, a zero-trust architecture eventually allows a user full access but only to the bare minimum of select data they need to perform their job. If a device is compromised, zero trust can ensure that the damage is contained.
- Securing data in transit, at rest, AND WHILE IN USE. The need to encrypt and secure sensitive data in transit and at rest has been around for some time. The need to secure that same sensitive data – through strong encryption while the data is in use has risen to the top of many CISOs priorities. One issue with using encrypted data while used in computational processes is that because the data is (hopefully) encrypted, applications cannot utilize the data for analytics or ongoing management/user. Homomorphic encryption, a type of encryption that allows ongoing computation of the data while still encrypted, has been available for many years but had not been used for most commercial uses due to the computing resources needed to make it usable. With the move to the cloud, dynamically shared cloud resources (PaaS) make homomorphic encryption for data security while in use fully available.
- Concern with MSP attacks will drive the need for secure/private enclaves. A secure enclave provides CPU hardware-level isolation and memory encryption on every server by isolating application code and data from anyone with privileges and encrypting its memory. Fact, there is no way to view any data or code inside a secure enclave. These security properties make the secure enclave a trusted execution environment that can safely access cryptographic keys and sensitive data without compromising data confidentiality.
Gartner Research has recently confirmed that cloud archive security will be one of the top two or three most important factors their clients will be looking for in 2021. Companies will continue to hold back their most sensitive data from the cloud without more advanced cloud security capabilities.
With accelerated world-wide move to the cloud, infrastructure and data/information security have become the biggest risk mitigation focus for all organizations across the board. New privacy laws focused on individual personal information protection and storage, digital transformation driving cloud data consolidation, cyber-hacking, evolving ransomware threats, and client expectations are driving organizations to rethink their approach to data security. And future data privacy laws will potentially demand even higher security requirements and damaging fines.
Chief Information Security Officers (CISOs) are now tasked with not only keeping sensitive information secure from external threats, but also from internal bad actors. Organizations that don’t place data security as their top priority will find themselves facing increasing fines, expensive litigation – including from both data-subjects and shareholders, and loss of business. Best of breed data security is now the minimum requirement for both organizations as well as their cloud vendors. Without it, both current and potential customers will steer clear.
Archive360 is challenging traditional approaches to data/information management and archiving by enabling customers to implement a Zero Trust, PaaS-based cloud architecture. This allows our customers, which include some of the most security-conscious organizations in the world, to build the most secure cloud archives and information management environments possible, including customized security and data privacy, incorporate best of breed security practices such as on-premises encryption and key storage via our Cloud Security Gateway, homomorphic encryption, secure multi-party computation, granular entitlement-based access controls and field-level encryption.
Ransomware attacks: prevention, detection, and mitigation
Join Archive360's panel of experts as we discuss the latest regulatory changes on data privacy that will affect your compliance program.
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.