Last year, the Biden administration issued an executive order, and later additional guidance, aimed at improving the nation’s cybersecurity. Agencies are now required to deploy Zero Trust architectures by 2024. As things go in government, so they tend to go in the private sector. Zero Trust is, therefore, the cybersecurity buzzword of the day.
Organizations are continually striving to assess and mitigate their cybersecurity risk, working to minimize the likelihood that their brand name will be splashed across newspapers nationwide because they’ve fallen prey to a high-profile hack. In cybersecurity, at least the way it is currently practiced, risk is not quantifiable.
We’re pretty mission-driven here at Absio. We believe there is a real problem (or problems) in cybersecurity that reaches back to the first computers. We’re eager to help organizations resolve the issues that arise when sensitive data created or processed by software doesn’t enjoy full-lifecycle protection. A big part of the solution to today’s seemingly endless cybersecurity breaches and privacy infringements is to reengineer applications to adequately, reliably, and automatically protect data, by default and by design.
A recent Associated Press poll indicates that most Americans think their personal information is vulnerable online. What’s more, 71% of Americans believe that individuals’ data privacy should be treated as a national security issue. In other words, the American people get it: data privacy and security are sadly lacking across the digital ecosystem and consumers are suffering the consequences.
As digital solutions have become nearly ubiquitous, few terms have taken a more central place in our conversations than data privacy and data security. Consumers, businesses, and organizations of various types are tiring of the barrage of data breaches and process failures resulting in unauthorized distribution of their sensitive information.
In previous blogs, we discussed the fact that data is physical and inherently controllable. Much like I can move a candy bar from the left side of my keyboard to the right, leave it there in anticipation, and slap away a hand intent on stealing it, it’s possible to physically control where data goes, where it remains at rest, and who can access it. What does this say about data ownership? Quite a bit, as it turns out.
In every field of engineering, there is a grace period when the engineers doing the heroic work of making a complex and highly valuable new technology work can escape liability for poor performance, failures, or damages caused by what they build. That grace erodes as the technology becomes commonplace. Eventually, usually through a combination of litigation, legislation, regulation, and evolving insurance requirements, liability and responsibility for failure starts being pinned to the engineers who designed and built the failed system.
Information was first digitized in the 1950s, thus ushering in the dawn of data. Then, as now, software was used to create and process data, and like most new technology inventions, security was not inherently built in. Software developers didn’t feel the need to apply controls to the new data objects created. Anyone with access to the software and the rare, expensive computer on which to run it could open, read, modify, delete, or copy this data without limits.
Data is just the geek word for information, right? If I were to provide information about the room in which I write this, I might say that it’s 10 feet by 8 feet with a 12-foot ceiling. You’d realize that it’s a comfortable but not overly large space. To put that information into a database, you would use software to enter each dimension into the appropriate cell and save it to your device’s hard drive. Although this description seems straightforward, the information I just conveyed to you and the corresponding data in a database differ in important respects. Without understanding the distinction, we will always struggle to think accurately about data ownership, privacy, and even cybersecurity.