You remember Tim Berners-Lee, right? The guy who invented the World Wide Web. Well, he’s at it again. Tim’s latest project, called Solid (Social Linked Data), is a platform that is designed to give users’ more control over their personal data, and to provide more structure to the vast amounts of data we store on the internet.
And then we have the Blockchain – an append-only distributed ledger which is able function without a centralized authority. These technologies are great, but the question we need to ask is, how will they shape the future of data security?
What is Solid, and Will it Help with Data Security?
With Solid, each user will create a “Pod”. In this pod the user will store all of their data – both public and private. Think of it like your Facebook, Twitter or LinkedIn profile, only you can store this profile anywhere you want.
When you log in to an application that supports the Solid protocol, the application will request permission to access certain types of data stored in your Pod. From a data security perspective, this makes a lot of sense, as organizations don’t need to store large amounts of personal data, thus mitigating a number of potential security threats.
However, it’s unlikely you will be granting access to specific individuals. Instead, you will be granting access to organizations with large numbers of staff who have their own access control system in place. When we’re not storing large amounts of sensitive data, the focus will shift from perimeter-based security, to the employees who are granted access to that data.
It is true that a hacker won’t be able to infiltrate a large database of sensitive data, but what if they were to obtain a legitimate set of credentials that had access rights to thousands, if not millions of Pods, each containing sensitive data?
The points is, technologies like Solid won’t eliminate the need for Identity Access Management (IAM) and User Behavior Analytics (UBA). Regardless of where the data is stored and how the data is used, organizations will still be required to monitor their employees, and receive real-time alerts when an employee is accessing data in a manner that could be deemed suspicious.
The key difference is that we will not be monitoring direct access to the files and folders stored on the users’ Pod, unless the user grants us access to the server logs where their Pod is hosted. Instead, we will be monitoring access to the Pods themselves, as well as the access rights assigned to the employees who have access to the Pods.
Can the Blockchain Help Improve Data Security
Many companies are talking about the Blockchain, and how it can be used to secure sensitive data and protect user privacy. The Blockchain can no doubt help to this, but I feel that many people are missing the point.
The main problem that the Blockchain solved was secure and distributed consensus, which enables two parties, who don’t trust each other, to transfer digital assets without the need for an intermediary! Secure distributed consensus is very difficult to achieve, as we must assume that some of the nodes on the network are either faulty or malicious. The Blockchain was the first viable solution to this problem.
However, trust-less distributed consensus is not the problem that most organizations are faced with when it comes to data security. Insiders – whether negligent or malicious – are the #1 security threat to most organizations.
Organizations simply have no choice but to trust their employees with the data they store and/or process. As such, they will be better off implementing some type of Data Security Platform, which can automatically detect, alert and respond to suspicious events concerning sensitive data – regardless of how that data is stored. For a quick look at a Data Security Platform that can do just that, take a look at LepideAuditor.
Likewise, if we really must store large amounts of sensitive data on a centralized server, we need to ensure that the data is encrypted both at rest and in transit.
The uncomfortable truth about data security is that no technology can keep our data 100% secure. It’s not possible, because humans are the weakest link. However, in the right circumstances, decentralized technologies can be very useful. Solid can give users more control over how their data is stored, and who has access to it. Blockchains are great for digital currencies and “smart contracts,” but are not really suited for protecting confidential data. Either way, companies will need to monitor the behavior of their employees and ensure that they are aware of security best practices.