After a massive data breach was discovered at SMS provider company, TrueDialog, which left tens of millions of unsecured and unencrypted data exposed, professionals have criticised the avoidable error and placed the blame on human negligence. Robert Reeves, CTO, and Co-Founder, Datical, an IT firm focused around DevOps, talks of where the responsibility lies and why he believes data breaches are growing.
Do you think that hacking that kind of tech was an easy target and why?
As more and more companies use newer database technologies, they often do not have the security rigor applied to them like more established and entrenched database technologies such as Oracle and SQL Server. But the database in question was actually an instance of Oracle Marketing Cloud running in Azure. What makes this an easy target is that non-core business functions took over their IT from classic operations. Those are easy targets.
Do you think the responsibility lies with the user or the developer in this case and in general?
Most certainly, the responsibility lies with the developers at TrueDialog. If you’re going to offer a service to customers, users in this case, they will have an expectation the service is secured.
How do you think DevOps connects to this sort of thing?
DevOps is about identifying bottlenecks, problems in software delivery and rallying to resolve that problem. Then, lather, rinse, repeat onto the next bottleneck or problem. Obviously, this completely unsecure database was a challenge from the beginning. But, I would be very surprised if no one at TrueDialog had not noticed this issue before. As such, had a more mature process, like DevOps, been in place, this issue would have been resolved before it was discovered, I believe.
Why do you think that so many data breaches are occurring in a day of such developing tech?
In general, companies are using newer technology databases and not putting it through the rigor of how they secured Oracle or SQL Server. They just don’t have the skills to do that, but that’s not stopping them from putting personally identifiable information (PII) and other sensitive data in there. Just like we vigorously test automobiles and medical equipment, we should have rigorous standards and compliance enforcement with new technology. It’s simply negligent to apply new technology to a system without making certain sensitive data is not exposed. Negligence is very expensive.
We have also seen a large number of breaches and failures due to human error. It’s time for it to stop. The Salesforce outage in May was caused by unexpected issues with a database change script executed in production, which took the team 72+ hours to resolve. The AWS S3 outage was caused by a manual typing error, which brought down several websites that relied on S3. Of course, the most widely known data breach has been Equifax, where they did not patch Apache Struts due to no automation for application release and updates.
What is the number one thing that firms can do to protect themselves in security?
There are many solutions that companies can use to send their own texts. Of course, this might require some development work on their part. Companies must always ask themselves, “What will happen to my business if this provider is breached?” That sort of questioning allows you to weigh the ease of using a service provider providing your own solution. However, unless you are able to provide a higher level of security, your best choice is to find a selection of providers and question them specifically on security and breach response.
People who work in security and IT tend to be aware that we need to protect ourselves against hackers, but today, with so many people susceptible to cyber-attacks, do you think the government needs to do something to make people more aware?
Absolutely not. The government can’t even get [healthcare] right from the start. They just outsource to the lowest-cost provider.
What other trends, positive or negative, are you noticing in tech right now?
Microservices and cloud-native architectures are definitely the new hotness.
At the moment, we are developing security in places like biometrics, where do you see the future of security measures going?
I love two-factor location-based authentication. This really eliminates the dangers of accounts being compromised from remote locations.
What are your 2020 tech predictions?
The adoption rate of new technology will dramatically increase, especially with open source. Just look at Kubernetes — we were all amazed at how quickly that proliferated. The same thing is going to happen with technologies like Spinnaker, but even faster. JPMorgan Chase made a public declaration of their commitment to Spinnaker at SpringOne, and we’re going to see more companies do the same. Based on this, CIOs need to actively explore these new technologies and pay attention to what their developers are interested in, as this will indicate the areas they need to invest in.