The Capital One breach shows a weakness in prevailing cloud security
Capital One's recent breach reveals lessons that all financial institutions and payment companies can learn from.
After the breach, Capital One revealed it encrypts data, but the unauthorized access also enabled the decrypting of data in the cloud. This is a very common issue with most data encryption available in the cloud and not specific to Capital One.
One area companies often ignore is the security of their cloud providers. Most cloud providers, including top SaaS CRM providers, claim to encrypt client data in their database or storage. But the providers do not disclose that proper functionality results in data being stored in a clear decrypted application layer, web interface and API. That's where most of the attacks are taking place.
Their technique of encrypting data in storage and keeping it all decrypted in internet-facing application modules is vulnerable to common cloud threats such as account takeover, session hijacking, API vulnerabilities, and user errors. Furthermore, storing your keys in the same cloud environment as your encrypted data makes it significantly easier for attackers to access your decrypted data.
Financial organizations should select tools that automatically protect sensitive information and keep it always protected. For instance, they should access all cloud applications via a cloud encryption gateways or cloud security brokers with automatic rights management and end-to-end data protection.
Companies will begin to take notice that they are not fully protected with such techniques that are marketed heavily and they remain exposed to all sorts of risk. They will need to reassess how exactly they are implementing encryption and tokenization in the cloud for risk management and regulatory compliance such as HIPAA, GLBA, GDPR, CCPA.
As we saw in the case of Facebook and Equifax fines, we'll see more regulators “bring the hammer down” and levy some of the largest fines ever seen to raise the sense of urgency on businesses to protect their clients' sensitive information properly. It could be the FTC first, then European GDPR and Canadian PIPEDA, then upcoming California Consumer Privacy Act, and many other privacy regulations worldwide.
Cybersecurity and data privacy are trends similar to the trends of cloud, mobile and AI. Businesses are naturally jumping on cloud, mobile and AI for finding new business opportunities, but they are not paying enough attention to cybersecurity and data privacy.