Rubrik breach – Why data-as-a-service might just work

Business / Security / Tech

Security gets worse and worse until a certain maximum is reached (the top of the bell curve), after which it tends to drop significantly.

Rubrik, which is a cloud security specialist company recently suffered a major security breach after a misconfigured server revealed confidential client contact and configuration data. The Rubrik breach brings us closer to a world of personal-information-as-a-service. This kind of data exposure is of course only the last in a very long chain of personal information leakage – by dozens of companies both small and large.

Interestingly, all the common security expert advice has been disproved: as security experts, we used to think that the problem was only with smaller, less secure websites; but that’s no longer the case. The bigger, more prominent (and more secure) the site is, the bigger the target it is for attackers; not to mention the site’s complexity directly affects the possibility it will have a bug. Case in point – Facebook’s massive data leak happened because one of its features (out of thousands) exposed user’s data. It is practically impossible for large websites to ensure all its complex code is secure without investing Billions with a capital B on IT security.

We also used to recommend not sharing too much information with websites, but you can throw that advice out the window as well. The amount of information that is shared automatically (and usually without your knowledge) is astounding. You need to have a Ph.D. in social media sciences to know what exactly is shared with a site when you sign up with your social media profile (from a security perspective, logging into a website with your Facebook or Twitter ID is a good thing – no password is stored. But then it leaves the door open to your Facebook information being shared and then stored again on the destination web site).

In other words, the future holds more data leakages. They will be wider in scope, happen more often than none, and will affect bigger and more prominent sites. But computer security history shows that there’s always a bell-curve with security attacks. Security gets worse and worse until a certain maximum is reached (the top of the bell curve), after which it tends to drop significantly.

Internet servers used to be ridiculously vulnerable to hacking attacks until firewalls came around. Then, websites got breached regularly until compliance mandated security scans and penetration tests that find and help fix application security flaws were implemented. The same is true for many other security niches that became mainstream and almost completely mitigated security-diseases that are ancient history. The same will probably occur with data leakages.

Rubrik

How can data breaches be mitigated? It is probably impossible to mitigate it if data is so distributed.

How can data breaches be mitigated? It is probably impossible to mitigate it if data is so distributed. If my personal information is stored on thousands of websites, the chances that none of them will leak are infinitesimal. What may solve this problem is the centralization of data. This isn’t farfetched – we are already getting to this point with regards to users and passwords; in the not-so-far future, selecting a username and password when registering to a new service will be a thing of the past, since most if not all authentication will be through the main portals – Facebook, Google, etc.

We will have several logins, which we’ll be able to count on our fingers, and the millions of websites we’ll use will all authenticate through these ‘authentication portals’. If you check how you authenticate today, you may notice more than half of your logins are not actually logins but go through Google or the social media sites. This trend will obviously grow, which is good for the portals and the websites who don’t need to worry about authentication, as well as the user, who will not be required to register. The same may happen with personal data.

I can securely store my data in one or two places – maybe just in my Apple, Google and Amazon profiles, so all other websites that require access can just take it from there (hopefully with my permission). They can then use it for displaying ads, showing me information in my language, etc. – but will not be allowed to keep it in a database that they can later leak. This will be a massive target for attackers, but Apple, Google, and Amazon are already a massive target and can take care of themselves better than the smaller companies.

This personal-data-as-a-service will be a boon for those Internet Behemoths but won’t be a bad deal for us, either – we’ll have more control over our data (not more than we had in the 1990s, but more than we had in the 2010s), and the possibility to expunge it by going to the central database and deleting information.

How far are we from this future? This is probably a combination of users getting tired of their personal data being leaked on a weekly basis (we are getting there) and the “data-as-a-service” being more convenient for websites to use compared to keeping things in a local database (we are not there yet). Give it a couple of years and a few dozen leaks and we might just start seeing the difference.

About the Author – Aviram Jenik is the co-founder and CEO of Beyond Security, a leading developer of automated security testing tools for networks and applications. He is also the co-founder of SecuriTeam.com, one of the largest security portals and vulnerability databases.

Aviram holds a computer science degree from the Israeli Technion Institute of Technology, and an MBA from Tel Aviv University.

Aviram’s technical background includes a degree in cryptography, development of military grade network attack and defense processes, contribution to several open-source security projects and active research in the fields of vulnerability assessment, full disclosure, and protocol fuzzing. He frequently lectures and writes about advanced aspects of the security field and is the co-author of many information security related books.

Aviram splits in time between the US head office in San Jose, CA and the global headquarters in Israel.

Comments
To Top