In a dramatic turn of events Disney has canceled its Slack subscription after they experienced a breach in July which exposed more than 1TB of confidential information posted internally to Slack by a group called “NullBulge”. Among the data were unreleased projects, code, financial information, and login credentials. This breach comes one month after Confluence, another SaaS provider was breached, exposing 2.5 GB of internal corporate data.
It is still unclear how big exactly the impact of the subscription cancellation will be on employees’ productivity, but it’s clear that we have to rethink how we secure SaaS applications if we want to continue using them to make us more productive.
This is particularly important for data platform leaders working with cloud data providers. As an industry we’ve been pretty cavalier with cloud data security incidents. The M.O. after a data breach was to apply a superficial patch, ride out the PR storm for a couple of days, and wait for people’s attention to be drawn to something else. However, this will change with the new cybersecurity regulations that will come into effect in the coming month and year to address the explosion in cloud data breaches. These regulations will grant the regulator the mandate to impose hefty fines in case of security breaches, and even hold senior leadership personally accountable. The regulator will be keen to exercise this newly held power, as proven by the EUR 5B in GDPR fines over the past couple of years. As a result, your Analytics and GenAI stack will be held under tight scrutiny by your C-level executives that are keen to keep their heads on their shoulders.
Unfortunately, just turning on MFA will not safeguard your data from being breached, despite being heralded as such by the cloud providers. MFA is known to have its loopholes. In fact, Disney’s Slack breach happened through an internal accomplice which would have rendered MFA quite toothless. Furthermore, you cannot apply MFA to Service Accounts which play an integral role in data engineering.
However, this doesn’t mean MFA is without its merits. It means that MFA will not protect your data in and of itself. It has to be part of a framework consisting of multiple data security controls that form sequential lines of defence. As with a medieval castle, when one line is breached there are still other lines of defense to prevent a data breach. These lines of defence can be but are not limited to:
Notice that as you go deeper in the castle, the lines of defence don’t serve to protect against breaches, but rather aim to reduce the damage of a breach once the enemy is through the gate. This is typically where the responsibilities of the security team end. They will prevent data breaches through employee training and MFA, but the data platform team will be responsible to reduce the impact of breach through least privilege access management, continuous monitoring and incident response plans.
We’re seeing data platform teams really struggle with this. Data security is complex, abstract, impacts the whole data platform, and is perceived as a huge productivity killer. There is no glamour! This is why we started Raito. If you want to learn more about how our customers use Raito to put up lines of defence without killing productivity, reach out.
Bart
