Technology progresses at an unprecedented pace – from client-server environments, to virtual machines, to containers and microservices. Yet one element remains constant: the main purpose of any environment in any cloud and on any infrastructure is to process data. Every technological advance in the IT industry is done in the name of better, faster and more reliable data processing systems.
Data is collected by enterprises en masse and is used to provide services to users, as well as derive business intelligence. Internet companies collect massive amounts of data to build user profiles and target advertisements. Financial companies collect customer financial data and examine transaction histories to build customized loan recommendations while managing risk in lending. Healthcare companies and hospitals collect patient information to improve physician workflow and provide point-of-care diagnostic information. It is obvious that data is one of the most prized commodities of any enterprise.
The vast majority of data that is collected is sensitive. Even if a given data element may not expose anything of a particular significance about the customer, in a greater context of previously collected data linked to multiple data sources, each additional piece of information makes the puzzle that is the customer profile more complete. Therefore, it is careless to say that a certain data element does not need to be protected just because it is not of a sensitive nature. Data does not exist in a vacuum: it is always linked to and correlated with other data – all 18 zettabytes of it (as of 2018). This is projected to grow to 175 zettabytes by 2025. That’s a lot of data. If you started to download this Global Datasphere today over your fast internet connection, you would be done in about 1.8 billion years. Again, that’s a lot of data – and all of it is sensitive and needs to be protected.
There are laws and regulations governing how enterprises must protect customer data. Some industries are more heavily regulated than others: the financial sector has PCI, healthcare has HIPAA; there are numerous other regulations. To companies, however, protecting information is an expense, and corporate expense requires justification. In addition, modern environments, heavily virtualized and multi-tenant to maximize return on infrastructure investment present numerous new attack vectors. You most likely heard of attacks on Docker and Kubernetes by scanning for daemon ports left open and passwords set to default or dictionary values. More information means greater exposure and more multi-tenant environments means more exposure points and attack vectors.
Enterprises adopt security through various means, from perimeter security, to network security, to data security. In modern container environments, this usually involves solutions around container image scanning, to runtime scanning for software stacks running inside containers. That’s because, as we discussed above, there are literally thousands of containers running at the same time, not all secure, but every one of them is a lucrative candidate for an attack.
If this all seems a little counterintuitive, it should. With the data being the most valuable asset of any business, it is puzzling that the focus of protecting this data is not on the data itself, but elsewhere. Afterall, every decent bank starts with a safe, not with a fence. The fence is important, but the safe is the first and the last line of defense against data theft. The fence is important, but it does not protect the data; it protects the building. Perimeter security, network security, and execution stack security measures are important, but they protect containers, not your data. Data-at-rest security – think software equivalent of a bank safe – is how you ultimately protect the data itself. And the most common and sure way to secure data-at-rest is to encrypt it. Of course, none of this invalidates the need for a comprehensive set of security tools; Afterall, a security solution is never just one piece of technology. But when fences fall down, when your network is compromised, and the bad actor is inside your Kubernetes clusters, data-at-rest security will be your last and only line of defense.
It is well warranted to start building your security solution from the inside and build it outward: start with locking down your data, then worry about network security, runtime security and perimeter security.
In my next blog post we will discuss what to consider when selecting security products that will comprise your security solution.