Businesses must embrace ‘confidential computing’

In the year since the Protection of Personal Information Act came into effect in South Africa last July, the Information Regulator has received more than 330 breach notifications, and ransomware attacks on companies and individuals are escalating. So severe is the issue, that many increasingly fear a “data privacy apocalypse” – both in South Africa and globally.

“Data breach volumes have gone up, as criminals gain access to tools that make exploitation easier,” said Anna Collard, senior vice president for content strategy at cybersecurity consultancy KnowBe4 Africa, earlier this month. “It has become imperative for companies to build a security culture and to adequately protect the personal information and data they have control over.”

Such breaches and attacks were the core topic of the annual re:Inforce conference hosted by Amazon.com cloud subsidiary Amazon Web Services in Boston, USA, this week.

“Every single month, we track trillions of (cybersecurity) events,” Amazon chief security officer Stephen Schmidt said in his opening keynote address at the conference on Tuesday. He announced a series of initiatives aimed at “building out a culture of security”, saying “the mechanisms and best practices that you use have a profound effect and impact on the overall effectiveness of your organisation”.

In an exclusive interview with Business Times, Schmidt said he expected companies to move towards “confidential computing”, which Amazon defines as the use of specialised hardware to protect customer data from outside access while it is being processed.

“It allows them to do sensitive operations within a piece of hardware that doesn’t allow access by human beings,” he said. “I expect people to encrypt data more when it’s at rest and in motion around the world. And most importantly, I expect them to require the use of hardware-based multi-factor authentication to prevent access by cyber criminals and by nation states.”

This approach uses a hardware token, like a USB dongle inserted into a laptop, that requires users to authenticate themselves physically before being able to access the content of the computer. This would immediately block sophisticated attempts, often by government-backed entities, to impersonate users and gain access to sensitive data.

“It’s the best way to prevent ransomware actors from gaining access to authorised identities, who have access to data that is sensitive. Nation-state actors love to take advantage of the identities of people who have access to such data. Using a hardware-based multi-factor authentication token makes their efforts much more difficult.

“Unfortunately, if you look at the history of nation-state actors gaining access to information around the world, the vast majority of situations are where people’s identities were taken. And they weren’t using multi-factor authentication. The guys on the other side love it. They grab your username and your password and they pretend that they are you.”

The most startling aspect of organisations eschewing this form of protection is that it is so cost-effective.

“They’re very inexpensive. The typical price for these devices is somewhere in the $10 range. When you view what the damage potential is, if your identity gets taken, that’s a very minimal investment.

“For consumers, the best bet right now is to use the SMS or instant messenger-based authentication that’s available from a variety of providers around the world. It gives you a chance to receive a code on your phone, you use that code to validate that you are indeed the person who’s authorising a transaction, for example.”

At the heart of the issue, however, is the extent of personal data that is both publicly available, and accessible within organisations.

“The biggest concerns around privacy tend to be the kind of data leaks where there’s lots and lots of data that has relatively broad access. When you think about it, if you collect data as part of your business, does everybody in your company really need access to it all the time, from every system, no matter where they are in the world, no matter what time of day it is? Probably not. But that tends to be the traditional method that is used to secure data.

“You cannot have privacy without security. And everybody knows you need privacy. Therefore you have to bring security along for the ride.”

According to Collard, the non-profit Insurance Crime Bureau found that impersonation fraud in South Africa increased by 337% in 2020, and this is likely to increase further over the next year.

“Data protection is not just a compliance box to tick,” she said. “It is key to ensuring that the business does not lose money or reputational standing because of a breach. As high-profile attacks continue to gain momentum, both public and private sector companies need to make data protection a discipline, not a chore.”

 She pointed out that the Experian breach in 2020 exposed the personal information of as many as 24-million South Africans, while the 2022 TransUnion attackers claimed that 54-million South African records were compromised. It is alleged that the protection of this data was so poor, that the hackers were able to use the word “password” to gain access.  They demanded an R223-million ransom to prevent the data from being exposed publicly.

James Gumede, SADC territory account manager at cybersecurity firm Kaspersky, said the company’s research found that, from January to April this year, ransomware attacks in South Africa doubled over the comparative period of 2021.

“The attack on Transnet last year showed that a successful ransomware breach can stop any business dead in its tracks, resulting in devastating financial and reputational repercussions,” he said.

Schmidt said he expected privacy protection in future to rely increasingly on “pseudo-anonymisation”, which allows an organisation to use data for analytics without knowing the underlying identity of individuals represented by the data.

“That’s the sort of tension that you see quite often between advertising and the need for privacy for individuals. How can you devolve that information in such a way that they can’t actually go back to the fact that it’s you, the individual person? Clear text storage of things is just not appropriate anymore. People are going to expect better access control within companies: you can’t just have access to everything; you have access only to what you need, for the time you need it, from where you need it.”

Schmidt said that future innovation would result in far more work in that space. However, the presence of numerous solutions will not mean that data breaches and privacy violations will be a thing of the past.

“People don’t always know what they have and where it is. Keeping track of that information is difficult in some circumstances, especially when people have older systems, where they may not be constructed from the beginning with the idea of all of the privacy and security controls that we expect now.”

“Unfortunately, businesses around the world have many, many older systems. As an industry, we need to help people move along, improve their systems, to migrate them to newer ways of doing business, to migrate to new kinds of access control. That’ll never happen overnight.”

Listen to highlights of Arthur Goldstuck’s interview with Stephen Schmidt here https://anchor.fm/thefuturefast/episodes/Future-10-Businesses-must-embrace-confidential-computing-e1mdsbv