Facebook disclosed a new breach today which (according to their disclosure) “may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers.” It’s unclear how many European users were affected but this is a clear GDPR violation even when we don’t consider the potential embarrassment of personal photos being presented to the wrong people.
Europe keeps influencing data privacy around the world… first there was GDPR and now we have PSD2, the new phase of Europe’s Payment Services Directive. And as with any new compliance, there’s a lot of confusion about what it does, what you have to do and what it all means. You can basically sum it up like this:
PSD2 forces banks to make data available.
As the title of this posting probably tells you, there are a LOT of acronyms out there talking about Access Control. To level set, here are a few translations:
Hackers are extremely creative. It’s not just phishing and knocking, hackers will try every crevice, every small hole, even things you would never think of as a way into your data center. The reason you need Zero-trust security is because you never know how they’re going to slip behind the scenes and gain access to what you thought was an innocent little system.
Back in 2007 Apple launched the iPhone and created a whole new way of developing software: Apps. Before Apps most development relied on a full stack of a UI tied closely to code that pulled content from databases. You secured the entire stack, and the idea of separating your security concerns was not only unheard of, but pretty much impossible to achieve.
Ask most companies today about their application strategy and they’ll say, “We’ve got it covered, we’re moving to the cloud.” To which I ask, “What are you moving to the cloud?”
You may have seen my posting on East/West is the New North/South. The bottom line is that traditional API Gateway models simply don’t provide the level of security we need in modern microservice architecture. The problem is that only 20% of the traffic (that is the inbound traffic up until the gateway) is secure, everything inside the data center is “trusted.”
In computer technology we talk about security breaches and how to prevent them, but honestly, we have different kinds of breaches and different reasons to want to prevent them. Sure we hear the stats like “60% of small companies that suffer a cyber-attack are out of business within six months” but what is it about those attacks that cripple and destroy companies? And how can we create better security policies and implement those policies so we don't suffer attacks?
The Cloudentity stack is very powerful and very flexible, which means it's hard to tell the story from one person's point of view. This short (1:15) video gives a quick view from four different people's perspectives.
We talk about network traffic in two ways – North/South traffic is the traffic heading in and out of your network. East/West traffic is the traffic from one server to another inside your network. So why do we focus so much on North/South and almost forget about East/West?
As I mentioned in Identity and Security Starts at Home, the era of Zero Trust means we can’t trust traffic coming from inside the house. Internal systems can be compromised and if your internal security is just IP whitelisting or trusted certs, a “trusted app” can do a lot of damage by probing the internal network.