The SolarWinds software supply chain attack, which was delivered to over 18,000 customers via the company’s own software update process, was the result of malicious code deployed in SolarWinds’ Orion network monitoring software. The Wall Street Journal reported that the attack gave hackers potential access to sensitive corporate and personal data, and The Verge reported that “9 federal agencies and about 100 private sector companies were compromised.”
Supply chain attacks are not new, and recent headlines are an important reminder for organizations to look more closely at supply chain risks. That goes for both commercial software producers (companies that produce products and services for other organizations or for the public) and software supply chain consumers (companies that consume materials, products, and services from various third parties). Some of the takeaways from the recent attack are:
This is the first of a series of blog posts focused on sensitive data protection and how organizations can better protect their sensitive data and corporate intellectual property, with a focus on application security.
One of a CISO’s primary responsibilities is to protect their company’s important digital assets, which can include corporate intellectual property such as proprietary source code and other patented technology or confidential information. However, because of emerging privacy and regulatory laws and standards, CISOs and data protection officers now also need to protect user data—personally identifiable information (PII), personal health information (PHI), and payment card industry (PCI) data.
These new privacy laws are increasing the restrictions on the use, retention, and geographic residency of user data. This requires many organizations to protect this data and its use both internally as well as with third-party vendors that handle this data. CISOs need to work with their colleagues in data protection, privacy protection, IT infrastructure, compliance, and software development to ensure compliance with these data protection and privacy laws, standards, and guidelines. In addition, the emergence and adoption of hybrid clouds and multicloud services creates new challenges for data security. Other factors—the geographic origin of data, storage location, and user access location points—further complicate what services providers and major cloud infrastructure providers need to do to secure their data.
Consumers are becoming more wary about how their personal information is used. The National Conference of State Legislators, citing a report by the Pew Research Center, notes “More than 80% of Americans say they go online on a daily basis. Of those, 28% go online almost constantly and 45% go online several times a day. Consumers are now more aware that businesses, social media sites, and other websites may collect and share their personal information with third parties. They also hear more about security breaches, cyber attacks, and unauthorized sharing of personal information.”
Similarly, a survey of 1,000 consumers from the U.S. and the U.K. conducted by Entrust showed that 79% of consumers said they’re concerned about data privacy, and 64% said that concern has increased in the past 12 months. According to an article from Security Boulevard, the top reasons for consumers’ heightened concerns were news stories about data breaches and seeing an increase in targeted ads on social media.
By 2023, companies that earn and maintain digital trust with customers will see 30% more digital commerce profits than their competitors."
Gartner
|The State of Privacy and Personal Data Protection, 2020-2022, Aug. 26, 2020
The recent surge in remote work has also resulted in increased worker data privacy concerns. “What we found was that roughly two years ago most companies barely had a privacy team; it was tucked away in a legal office,” says Robert Waitman, director of data privacy at Cisco. “But with the shift to remote work because of the pandemic, privacy has become more important, mainly because employees were uncomfortable with the privacy of the tools available and the need for companies to provide a safe workplace.”
Understanding how application security ties into data and privacy protection is essential. With the digital transformation happening in many industries, organizations are compelled to digitize their business web presence to more quickly gain and retain new customers versus their competitors. This is especially true in the financial services industry, healthcare, and e-commerce/retail market segments, where usage of mobile and web applications and websites has increased significantly. However, these websites and applications can also serve as attack vectors for hackers who leverage them as entryways into organizations’ databases, which contain sensitive user data that can be monetized on the dark web.
This white paper provides a summary of recent privacy laws and describes how different frameworks and security tools—including application security tools—can help ensure data protection and privacy. Software security services, architecture analysis, and threat modeling of new systems from both a security and systems engineering perspective are equally important. CISOs should work collaboratively with their heads of software application development, third-party application procurement, and systems engineering to better protect sensitive data against potential cyber security attacks that can lead to costly data breaches. The recent SolarWinds software supply chain breach points to the urgent need for improved DevSecOps processes, secrets management, and sensitive data detection throughout the stages of the software development life cycle.