Too Much Data Access: What’s Happening, and What Can Be Done
It seems like every week there’s a report of a new data breach. As Apple notes in their December 2022 white paper, “the data ecosystem has become so vast and interconnected that people are only as safe as the least secure company that interacts with any company that has access to their data.”
As it turns out, there are a whole lot of “least secure” companies. Apple gives the example of the famous SolarWinds supply chain attack in 2019, in which malicious hackers were able to gain access to as many as 18,000 organizations who used SolarWinds software. Those attackers were able to infiltrate Microsoft, Intel, the Department of Homeland Security, the US Treasury, and more.
Meanwhile, there were over 290 million victims of data breaches in the US in 2021 alone — a sizable majority of the country’s population.
Clearly, unauthorized data access is a huge problem. But why is it happening, and what can be done to stop it? We’ll explore the issue below.
Why is there so much unauthorized data access?
In short, because there’s so much data. Data growth is happening at an exponential rate and, as the statistics reveal, shows no sign of slowing down.
- In 2020, 64.2 zettabytes of data were created — a 314% increase from 2015.
- By 2025, an estimated 175 zettabytes of data will exist, half of which will be stored in data centers and half in the public cloud.
- Data generation is skyrocketing particularly in the areas of AI, machine learning, and the Internet of Things (IoT). It’s projected that there will be over 25 billion IoT devices by 2030.
But it’s not just that data is growing exponentially — it’s also how the systems that manage that data are growing, and who’s being given access to them. While some new technologies like deep learning, machine learning, and novel language models genuinely do require access to vast amounts of data, access is often given inadvertently and inconsistently within companies.
According to a 2022 Cloud Security Alliance article, systems are sometimes built quickly for companies without adequate security safeguards, with speed prioritized over safety. For companies that are blitzscaling (or even just growing a little more quickly than usual), new roles may be created without a clear understanding of what data access they do or should have.
In short, companies often don’t know how much data they have, where it’s stored, or who has access to it.
Minimizing data access in the cloud
To reduce the chances of a data breach, companies must first limit data access. One of the best options is the least-privilege approach of only granting access to the users who need it, and keeping even that access to a minimum. For instance, if read-only access is enough for a certain user, then organizations should ensure that write-only and admin access are not granted.
Other measures like MFA, biometric authentication, rapid incident response when breaches do occur, and reducing the amount of data that’s retained in the first place can all be helpful. Additionally, organizations can try:
- Reducing the number of systems that process sensitive data
- Addressing storage and infrastructure misconfigurations
- Isolating infrastructures that hold sensitive data
- Using privileged access management solutions
- Introducing clear policies for data retention
- Updating patches
- And more.
However, scholars and security experts agree that access controls are not sufficient to keep sensitive data safe. As one study from the MIT Computer Science and AI Lab notes, “access control in itself is inherently inadequate as a framework for addressing privacy on the Internet.
Traditional file-level encryption — and where it falls short
In the past, traditional file-level encryption was one of the best ways to keep data safe and reduce the impact of unauthorized data access. Encryption ensures that selected information is unreadable to unauthorized viewers, so even if someone does access data they shouldn’t, they won’t be able to read it.
But file-level encryption also has downsides. It typically requires the installation of agents or applications on a server or client system, which in turn brings endpoint management and incompatibilities with newer services and infrastructures.
Agent-based file-level encryption can also slow down operations considerably, with performance lags ranging anywhere from 5% to 40%. And few traditional encryption solutions can provide the kind of strong data resilience features that ensure high availability and failover during outages and disruptions.
ShardSecure: a modern alternative to file-level protection
ShardSecure is helping companies regain control of their data by protecting against the impact of unauthorized data access, regardless of where that data is stored.
Our plug-and-play technology maintains the confidentiality of unstructured data and metadata in specific files, folders, or storage locations. It separates data from infrastructure owners, maintaining privacy from cloud admins, local storage admins, and more. (This separation of duties also helps support compliance with cross-border regulations like the GDPR and beyond.)
Just as importantly, ShardSecure’s solution does not require the use of agents or other resource-intensive processes, and it does not involve a performance hit. In some cases, it even improves performance. Organizations can store data anywhere — on-prem, in the cloud, or in hybrid- and multi-cloud environments — and remain well protected against the impact of unauthorized data access.
To learn more about ShardSecure’s benefits for file-level protection and advanced data security and resilience, check out our solution brief or visit our resources page today.
The Rising Threat to Consumer Data in the Cloud | Apple
Big Data for Sustainable Development | United Nations
Data: A Small Four-Letter Word Which Has Grown Exponentially to Such a Big Value | Deloitte
11 Big Data Trends for 2022/2023: Current Predictions You Should Know | Finances Online
Minimizing your Data Attack Surface in the Cloud | Cloud Security Alliance
More Than 40% of Companies Don’t Know Where Their Data Is Stored | Lepide
Access Control is an Inadequate Framework for Privacy Protection | W3.org