In Part I, I discussed some of the older cybersecurity challenges that new technologies are still dealing with. In this piece, I cover new challenges for new technologies.
Each new technology presents its own cybersecurity vulnerabilities for criminals to exploit. Both cloud computing and cryptocurrencies have and will continue to provide us with examples of this.
(Relatively) New Tech, New Problems
If you’re not a bitcoin millionaire, you’ve surely heard of them. Cryptocurrencies like bitcoin are hot right now but they carry security risks both familiar and a bit unusual. While these will likely not hurt us (yet) in 2018, they will be real challenges in the years ahead. The first challenge is that bitcoin ownership is verified using an approach based on the same math as public-key encryption methods. And as we saw above, these will be vulnerable to attacks by a quantum computer. In addition, the substantial speedup offered by quantum computers will ultimately deliver an opportunity to malicious users to control over 50% of the computing power of the bitcoin network, controlling the ledger and potentially duplicating transactions for gain.
Beyond cybersecurity, cryptocurrencies like Bitcoin are a threat to the real world in ways that are now becoming more apparent. Because they carry a record of every transaction they have ever been a part of, cryptocurrencies use an enormous amount of energy, which takes that energy away from other uses like powering homes, hospitals or scientific research while making a big contribution to climate change.
Cloud Giveth and Cloud Taketh Away
While it’s still unclear whether cloud computing will be a net positive or negative when it comes to climate change, we pretty much have consensus that cloud providers do offer better cybersecurity than what smaller businesses, at least, can achieve on their own.
Unfortunately, there are trade-offs for that security:
1. Companies often must give control over encryption and key management to their cloud provider.
2. Some cloud providers lock customers into using their software, hardware or vendors only
3. Even providers that offer BYOK (bring your own key) options typically only give a limited number of options and even some of those require companies to surrender the keys to the cloud provider
Even if an organization has full faith in their cloud provider, it’s still not a good idea to give them full access to all a company’s sensitive data. The provider might not think about breaching security in a million years but if they get a subpoena from the government, they are going to have to turn over the requested information. It’s simple: if they don’t have the encryption keys and therefore access, they can’t.
To ensure data is secure, companies and cloud providers need to share responsibility for encryption key management. This is not a case of either host your own keys or delegate everything to the cloud provider, it’s a combination.
Finally, if there is one message I’d like to impart for the new year it’s that whether dealing with new technology or old, old year or new, remember that humans are always the first line of cybersecurity defense and are most often the cause of breaches. No technological methods can substitute for a well-trained staff. Train your team early and often about good cybersecurity hygiene, and invest in strong cyber-security knowledge, both internally and externally. This way you won’t have as much to worry about as you might in 2018.
If you missed Part I, you can find it here.