Thales Blog

Data Security...Up The Stack

January 27, 2014

Screen Shot 2013-12-12 at 9.15.39 AMData breaches have been front and center of late: Target suffered a tremendous data breach over the holidays affecting some 70M customers and Neiman Marcus just disclosed that 1.1M of its customers’ credit and debit cards were recently compromised. With the accelerating frequency and severity of data breaches, my top prediction for 2014 is that organizations are going to bring data security to their critical applications. Here’s how I anticipate organizations will add data security to their application stack…

First, enterprises will create more “hardened” enterprise applications than they have in the past. Companies creating new web or internal applications will employ “hardening” techniques as part of their development process. There will be an increased focus paid to securing sensitive data through encryption and key management, access controls limiting privileged accounts, and behavioral analysis. I also think we’ll see more focus on source code security in order to address the multiple attack vectors. Now, these changes won’t happen overnight since enterprise applications typically have a long tail, but I do think a major shift will start in 2014 particularly with the rapid adoption of cloud and big data solutions.

As my colleague, C.J Radford, discussed in his most recent blog entry, adding data security in the cloud will become a business imperative in 2014. Big Data files will move into the cloud to generate faster time to value, so we can expect to see standard assessments of security for cloud-based applications. Since companies will be moving analytics into the cloud, they will want to understand exactly how their sensitive cloud-based data is being protected. Cloud service providers will start to provide much more detailed visibility into the infrastructure status, data access, network and storage usage for critical accounts.

Also, there will be an increased need for enhanced authentication security. Enterprise applications will mirror those of banks, requiring a multi-factor authentication process to access data. Healthcare and insurance providers are notorious for making their IT budgets second to providing care, but as pushes its information to the cloud, encrypting the data will become vital. That said, I think adoption will be slow in this area until more standardized services become ubiquitous.

I also envision that PCI-DSS 3.0 will result in a targeted reassessment of application security postures. For organizations like Target, Neiman Marcus and thousands of other companies that process and use credit card data, the changes in the new PCI-DSS 3.0 standard (phasing in over the next 18 months) will result in a reassessment of their application security postures. While there are no earth-shattering changes in the transition from 2.0 to 3.0, the re-organization of categories will cause organizations to look in detail at their current applications, supporting infrastructure, security training, service provider contracts and more, while stepping through the new policy for compliance purposes. This should expose the areas where their current applications, security controls and underlying infrastructure are inadequate to protect their critical data.

Finally, I predict that application APIs will go through more rigorous testing and enforcement. One way hackers have been able to access data is via applications exposed to partners. Hackers have started targeting suppliers in order to “open the door” to the customers with whom these suppliers do business. In many cases, the connection is via web-based APIs. As a result of 2013’s record number of breaches, I expect enterprises to start giving these APIs more rigorous testing for vulnerabilities (like a buffer overrun, or SQL injection) and to move down the stack to their suppliers using these applications with data security requirements that must be met in order to continue business around their access to enterprise APIs.

What kind of security is your organization going to implement in 2014?