In response to Family Tree Maker, a popular family tree software, exposing tens of thousands of its users’ personal information online via a misconfigured cloud server, cybersecurity experts provide an insight below.
In response to Family Tree Maker, a popular family tree software, exposing tens of thousands of its users’ personal information online via a misconfigured cloud server, cybersecurity experts provide an insight below.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
As the Family Tree Maker scenario clearly displays, security administrators, need to move beyond reinforcing their perimeter boundaries and access mechanisms. This is not to say that they need to neglect perimeter security. However, no matter how much effort and investment are poured into securing the borders of their data environment, sensitive data inevitably will wind up in the wrong hands—either through intentional intrusion and theft, unintentional distribution, or pure lack of oversight.
Data-centric security addresses the need for security to travel with the data it protects (rather than merely securing the boundaries around that data). Standard encryption-based security is one way to do this, but encryption methods come with sometimes-complicated administrative overhead to manage keys. Also, many encryption algorithms can be easily cracked. Tokenization, on the other hand, is a data-centric security method that replaces sensitive information with innocuous representational tokens. This means that, even if the data falls into the wrong hands, no clear meaning can be derived from the tokens. Sensitive information remains protected, resulting in the inability of threat actors to monopolize on the breach and data theft.
Had this highly sensitive personal data been tokenized in the Family Tree Maker environment, none of it would have had the potential to compromise individual users. This type of preventative helps keep organizations within compliance regulations and helps to avoid other liability-based repercussions.
Exposures from misconfigured servers and applications are among the most embarrassing security incidents. It’s fun to think about elite teams of attackers and defenders battling it out in cybersecurity, but cases like this are the equivalent of a shop leaving the cash register out on the street. This type of error or omission is common in organizations that have not cultivated a culture of security, that is, they have not made the commitment to ensuring that every person in the organization is properly trained and accountable for ensuring they understand the security implications of job functions they are responsible for. Further, checks and balances to proactively identify security issues should be in place, as well as continuous monitoring and auditing of all systems and data. Failure to protect the personal information that customers have entrusted to you carries severe consequences in customer confidence and trust as well as potential legal and regulatory penalties. Businesses that disregard cultivating a true culture of security will find themselves increasingly exposed and penalized.