Security continues to be a top concern keeping IT leaders up at night. With good reason – the impact of security breaches can include remediation costs, reputation damage and reduced customer confidence.
What can leaders do to protect their data without sacrificing business agility? In August 2017, IBM commissioned Forrester to conduct a survey of IT and security decision makers to explore how organizations are implementing security to protect their data.
The Forrester study revealed that 46 percent of the organizational representatives surveyed encrypt little to none of their data, with only 12 percent encrypting all their data.
It also highlighted a wide range of security issues, including:
- A need to operationalize security to secure the new data perimeter.
- A focus on protecting data but a lower level of actual encryption.
- A desire for a “zero trust” approach to security, restricting access to those who need it.
1. Operationalizing Security
According to Forrester, operationalizing security is about “taking specific steps to identify malicious actions and respond to them in order to fix the issue.”
One of the biggest security issues today is the explosion in data, with much of that data being located beyond the previous security perimeter.
70 percent of people surveyed said they stored critical data in the cloud – so cloud service providers need to protect client data from other clients sharing the same cloud.
2. Encrypting data
85 percent of those surveyed currently encrypt their data based on a data classification scheme. Having to decide which data to encrypt exposes the remaining unencrypted data to attack.
The simple answer is to encrypt all data – an approach called pervasive encryption. But doing this in software can impact service level agreements (SLAs) because of the performance overhead. Pervasive encryption becomes practical when it is done in hardware with special cryptographic co-processors.
Encryption keys also need to be protected in order to properly safeguard data. Holding encryption keys in the clear speeds processing, but opens up other possible attack vectors.
3. Zero Trust
66 percent of those surveyed said that they subscribe to a zero trust approach to security.
Typical approaches include implementing access control mechanisms and enforcing role-based access – and these have proved valuable in protecting systems from many threats.
However, this still leaves system administrators with widespread access to data and applications, and they have often been the culprit (either intentionally or accidentally) in recent insider attacks.
Addressing critical security issues with IBM LinuxONE
In September 2017, IBM announced the latest member of its LinuxONE enterprise server family – Emperor II – with a wide range of capabilities designed to operationalize security.
For multi-tenant clouds, hardware virtualization provides “air-gap” level isolation between logical partitions, protecting against any peer access to critical data by other customers. It also enables new virtual machines to be provisioned faster and share resources.
LinuxONE includes hardware encryption. Faster encryption and decryption makes it practical for organizations to pervasively encrypt 100 percent of data. Updates have also been submitted to the Linux kernel to enable support for protected encryption keys on LinuxONE.
Secure Service Containers provide a framework for deploying software appliances on LinuxONE. Once configured, access is permitted only through well-defined APIs and web interfaces. This prohibits access by rogue system administrators or other external threats to private data, providing validation of the appliance code at boot time and automatically encrypting all data.
Today, Secure Service Containers support IBM-provided appliances such as the IBM Blockchain Platform. A beta program offers users and developers the chance to evaluate and provide feedback to shape the future direction of IBM Secure Service Containers.