The recent class action suit against 23andMe after a hacker exposed the genetic data of millions of users, is an extreme example of how storing sensitive data in the cloud exposes organizations to the risk of huge privacy fines and class action lawsuits. Let alone, the immense impact on the lives of the users affected by the data breach. In this particular case, the data is also being used to target people based on genetic traits.
The cause of the breach was a combination of credential stuffing and the use of an unfortunate feature to connect with users with similar DNA. It shows how inherently exposed sensitive data is to the risk of human mistakes once stored in the cloud. Hackers are banking on organizations moving their sensitive customer and business critical data to the cloud, by increasingly attacking cloud applications using social engineering and stolen credentials.
Does this mean we have to abandon cloud adoption completely and go back to on-prem? Definitely not! This would be a massive competitive disadvantage. According to a recent study by McKinsey, organizations that invest in modern cloud infrastructure, better data capabilities, and data security have systematically outperformed their competitors in terms of generating revenue streams. It is no surprise that in the digital age companies that invest in better technology to get value from data, outperform their competitors, but a business case for data security is not always that easy to make in sectors that are not as heavily regulated as 23andMe. However, hackers are quickly expanding their action radius, and as your organisation is moving its analytical workloads to the cloud for efficient self service analytics, and deploying large language models, it will be crucial to have a scalable data security framework that supports your data & AI journey in a scalable way.
The current access management workflows and technologies centered around Active Directory are clearly not adapted to the ways in which we use data for analytics and AI today. Too often, data access is managed through users and groups in Active Directory, roles and permissions in the cloud data providers, access requests in ServiceNow, and state files in Terraform. This combination of tools makes it near impossible to monitor data access and usage, results in dead slow data access request workflows, and produces inconsistent access controls.This exposes organizations to a higher risk of data breaches and regulatory files, while at the same time reducing the performance of self service analytics through slow data access request workflows.
Organisations that want to remain competitive have to rethink their approach to data access management. The competitive disadvantages of poor data security will eat away at your organiation’s margins, and in certain cases the bite can be considerable. Fortunately, Gartner has provided us with a good framework to define the business case for better data security.
Data breaches
The average cost of a data breach has grown to USD 4.45M, and every day there is a cloud data breach where a malicious actor got unauthorized access to a cloud data provider. It even happens to AI teams at Microsoft. Increasingly, hackers are using extremely sophisticated social engineering techniques to steal or spoof credentials from your co-workers, giving them the keys to all your data. Data Security is an excellent way to prevent and minimize the impact of a data breach. Therefore, it is best practices to implement RBAC, and is also increasingly mandated by privacy and security regulations.
Regulatory Fines
Across the world, regulators are responding to the astronomical number of data and privacy breaches following the increased cloud adoption by introducing regulatory fines for security and privacy breaches, and extending the regulatory scope to more and more organisations. As such, it will be important to implement data security measures that reduce the risk of unauthorised access and privacy misuses by internal and external agents, whether the intentions are benevolent or malicious.
Regulations that can impose regulatory fines for data privacy and security breaches include, but are not limited to:
Self Service Analytics
Many organisations are rolling out a variant of Data Mesh to become data driven and stay competitive or find new sources of revenue. A core component in Data Mesh is Self Service Analytics where data analysts and scientists can serve themselves with data & analytics to support their insights. Organisations that have successfully implemented Self Service Analytics have seen a considerable improvement in business outcomes.
Without a scalable data security framework these organisations run the risk of slowing access to data through slow data access request workflows, or even shutting off access through to misconfigurations. The negative impact on performance has been well documented, which kind of beats the purpose of self service analytics in the first place.
Change
I remember writing the specs for a report at an insurer in the early 2010s. It took 3 months to get that report into production. Sooo slow. Cloud data platforms, and data movement and transformation tools like FiveTran and dbt have significantly democratized access to data transformations, making it extremely easy to load data into the cloud, and create data products and the supporting data transformations in minutes instead of months. The result is a continuous proliferation of data, analytics, and data transformations. You just cannot keep up with this level of change using the traditional access management workflows. You’re basically faced with a choice between keeping data secure, or promoting innovation. The way we work with data today brings a pace of change that requires a more dynamic approach to access management that can be found in data security platforms like Raito.
To summarize; tomorrow’s winners are the organizations that invest in data & AI, modern data infrastructure, and data security. Although we've seen a strong appetite for the first two components over the past decade, the next decade will belong to the organizations that invest in data security.
Reach out to info@raito to learn how Raito can help!
