Many CIOs and CISOs I speak with from Global 1000 companies are increasingly concerned about geopolitical risk and are exploring models, processes, and technologies that will allow them to keep pace with constant and evolving changes.
For decades, companies have located facilities in Eastern Europe and other non-NATO regions where some of the brightest minds in engineering, IT, and cybersecurity reside, and where cooler climates help reduce operating costs and the carbon footprint of their data centers.
Now, companies with data centers in non-NATO countries are reevaluating their risk during these uncertain times and seeking more effective ways to protect and maintain control of their data and intellectual property (IP) stored in those countries. I just returned from SINETSilicon Valley where Alejandro N. Mayorka, Secretary of the US Department of Homeland Security, participated in a keynote panel discussion outlining the heightened risk of cyber threats as warfare escalates and restraint from using cyber weapons wanes, and the need to capitalize on the power of technological innovation to strengthen defenses. The Secretary and other panelists also discussed the continued importance of public/private partnerships to secure our nation’s critical infrastructure.
Encryption has been the method of choice for many IT leaders and encryption is a great layer of defense. However, we all know that human error, poor cyber hygiene, and challenges with key management can provide threat actors and rogue insiders with access to high-value data. Consequently, encryption itself is not adequate to deter data intrusion and breaches by highly determined nation states, especially in geopolitically unstable regions. Concerns are so high that some global companies I’ve spoken with are considering destroying data rather than running the risk of it getting into the wrong hands as a result of an invasion and takeover. Particularly in countries that are advanced in quantum computing, the capacity of threat actors to decrypt data should be taken seriously.
Changing the risk calculus with microsharding
As this period of uncertainty continues, one thing is certain: geopolitical risk is being elevated in companies’ risk management frameworks. Looking ahead to the potential shift in the nature of the conflict to cyberwar over the long-term, as pundits expect, one quantum-safe approach for companies to consider for additional data protection is microsharding.
Microsharding essentially makes sensitive data unsensitive and unintelligible to unauthorized users. It is a three-step process that consists of shredding, mixing, and distributing data across multiple storage repositories of the data owner’s choosing – multi-cloud, multi-region, or hybrid cloud. When data is shredded into microshards, they are too small to contain sensitive data. Mixing that data with poisoned data and distributing it helps to ensure unauthorized users never have a complete, intelligible data set should storage be compromised.
In addition to making the data no longer valuable to bad actors, Microshard ™ technology also makes data more resilient. If you’re familiar with the concept of RAID-5, you’ll recognize the similarities between RAID-5 and microsharding. Where RAID uses an array of disks, microsharding uses an array of cloud storage locations. Similarly, if a storage location containing microsharded data becomes unavailable for any reason, affected microsharded data is reconstructed in real time, typically without users knowing. Microshard data is distributed in parallel to storage and, similarly, files are reassembled for use. So, there is little to no impact on application performance, and in some cases performance improves.
It’s unclear how comprehensively targets will be able to fend off a cyberattack. In discussions with other cyber luminaries attending SINET last week, adversaries might be too preoccupied with military combat on the ground at the moment and cyber will take a front seat in the next phrase of this likely prolonged war. What is clear is that every company should be revisiting their geopolitical risk and strategies to protect their data and IP. If you have concerns, consider innovations like microsharding to desensitize your sensitive data so it is of no value in the wrong hands.