Embed Size (px)
Citation preview
#2018DataThreat
2018THALESDATA THREATREPORT
Trends in Encryption and Data Security
U.S. FEDERAL EDITION
2 2018 THALES DATA THREAT REPORT • U.S. FEDERAL EDITION
OUR SPONSORS
GEOBRIDGE
TABLE OF CONTENTS
INTRODUCTION 3
KEY FINDINGS 3
GOOD NEWS AND BAD NEWS 7
SECURITY AND SPENDING 11
DATA SOVEREIGNTY 14
SECURING BIG DATA, SaaS AND IoT 14
CLOUD SECURITY 15
BIG DATA 16
IoT 17
DOCKERS/CONTAINERS 18
THE ‘YIN AND YANG’ OF ARTIFICIAL INTELLIGENCE/MACHINE LEARNING 19
MOBILE PAYMENTS 20
BLOCKCHAIN – STILL EARLY, BUT BIG PLANS 21
RECOMMENDATIONS 22
32018 THALES DATA THREAT REPORT • U.S. FEDERAL EDITION
INTRODUCTION
The U.S. Federal Government continues to struggle with the same cybersecurity challenges that most verticals are wrestling with, but against a different set of obstacles that other markets don’t usually face. In the Global edition of the Thales 2018 Data Threat Report, we noted that the breach counts continue to mount, even in the face of rising security budgets. This is certainly true of the U.S. Federal sector, which has experienced a higher rate of breaches in the past year than any other sector. While the U.S. Federal sector has the highest number of respondents – by a wide margin – who are expecting IT security spending to increase, overall Federal IT budgets are plummeting. Indeed, despite the encouraging spending results, budgetary constraints also look as the primary obstacle for U.S. Federal agencies to deploy data security more broadly.
The other angle to consider is that the overall Federal IT budget dropped by $6.2 billion in 2017 with other cuts expected this year. It is questionable how such large security spending plans can be maintained without impacting overall IT performance and business processes in other areas. The overall Federal budget cuts and continued mounting cyber threats come at a time when pressure is building on all Federal agencies to make government more accessible and transparent while protecting gigantic volumes of personal information it holds on its 330 million citizens. These agencies face these daunting challenges at a time when many of them must use and maintain some of the oldest systems and software found anywhere.
KEY FINDINGS
Similar to the Global report, responses from U.S. Federal agencies illustrate a combination of good news and bad news, with perhaps a greater slant towards the ‘bad’. On the positive side, of the 100 U.S. Federal IT leaders responding to the survey, 93% say their agency’s spending will be ‘somewhat higher’ or ‘much higher’ this year compared to last, with 73% saying ‘much higher’ – well ahead of the 78% of global respondents reporting planned increases. It’s also worth noting that last year, U.S. Federal trailed all other sectors in terms of the percentage planning to increase security spending in the coming year.
“The U.S. Federal Government continues to struggle with the same cybersecurity challenges that most verticals are wrestling with, but against a different set of obstacles that other markets don’t usually face.”
“93% say their agency’s spending will be ‘somewhat higher’ or ‘much higher’ this year compared to last, with 73% saying ‘much higher.’“
20182017
U.S. Federal security spending
Somewhat lower or much lower
About the same
Somewhat higher or much higher
0% 20% 40% 60% 80% 100%
4 2018 THALES DATA THREAT REPORT • U.S. FEDERAL EDITION
However, U.S. Federal respondents also reported more breaches last year (57%) than any other vertical by a wide margin, well ahead of the global average of 36%. U.S. Federal also led in this category last year, which may partly explain the surge in planned security spending increases. Not surprisingly, those respondents saying they feel ‘very or extremely vulnerable’ to data threats topped all verticals at 68%, again well ahead of the global average of 44%.
U.S. Federal is also much more likely to use public cloud resources and a multi-cloud strategy. Nearly half (45%) of U.S. Federal organizations use more than 5 IaaS vendors, 3x ahead of the global average of 15%. However, U.S. Federal is also much less likely to store sensitive data in ‘new’ or ‘emerging’ technologies than the global average. For example, just 28% of U.S. Federal and 31% of Global Federal plan to store sensitive in SaaS apps, well below the global average of 45%.
U.S. FederalGlobal
45%
42%
58%
18%16% 15%
More than 5 More than 501
Number of IaaS providers used
Number of SaaS providers used
“U.S. Federal is also much more likely to use public cloud resources and a multi-cloud strategy. Nearly half (45%) of U.S. Federal organizations use more than 5 IaaS vendors, 3x ahead of the global average of 15%.”
Software as a Service (SaaS) applications
Infrastructure as a Service (IaaS) environments
Platform as a Service (PaaS) environments
Mobile applications
Big Data environments (Hadoop, NoSQL, etc.)
Internet of Things platforms
Containers/Docker images
Blockchain
None of these
U.S. FederalGlobal
Plans for storing sensitive data in 2018
0% 10% 20% 30% 40% 50%
“U.S. Federal respondents also reported more breaches last year (57%) than any other vertical by a wide margin, well ahead of the global average of 36%.”
52018 THALES DATA THREAT REPORT • U.S. FEDERAL EDITION 5
“U.S. Federal respondents are still not putting their money where their data is: The largest amount of respondents this year (56%) plan to increase spending on endpoint and mobile devices, despite ranking endpoint and mobile devices as least effective at protecting sensitive Federal data – a major disconnect.”
56%
6 2018 THALES DATA THREAT REPORT • U.S. FEDERAL EDITION
U.S. Federal respondents are still not putting their money where their data is: The largest amount of respondents this year (56%) plan to increase spending on endpoint and mobile devices, despite ranking endpoint and mobile devices as least effective at protecting sensitive Federal data – a major disconnect. Conversely, both data-in-motion (78%) and data-at-rest defenses (77%) are ranked as most effective at stopping data breaches, yet ranked at the bottom in terms of spending plans.
Part of the reason is that there are significant adoption barriers for data security, including perceived complexity (41%) and business impact (47%). However, despite having robust spending plans, lack of budget (53%) looms as the greatest hurdle among U.S. Federal. Further – only 23% of U.S. Federal are implementing encryption in the cloud now compared to 28% (Global Federal) and 30% (Global).
“U.S. and Global Federal show preference for allowing cloud providers to control encryption keys. This is a potential problem since they don’t really have full control over their data if they don’t control the keys, but it also potentially runs afoul of Federal guidelines such as NIST 800-53, FedRAMP and the federal risk management framework which have strong requirements to maintain control over data.”
20182017
End point andmobile device defenses
Network defenses
Data-in-motion defenses
Data-at-rest defenses
Analysis and correlation tools
0% 10% 20% 30% 40% 50% 60% 70%
U.S. Federal increases in IT security spending by technology type
U.S. FederalGlobal
Lack of budget
Concerns about impacts onperformance and business process
Complexity
Lack of perceived need
Lack of organizationalbuy-in/Low Priority
Lack of staff to manage
Perceived barriers to data security in 2018
0% 10% 20% 30% 40% 50% 60%
72018 THALES DATA THREAT REPORT • U.S. FEDERAL EDITION
Globally, encryption and tokenization remain top choices for securing most new environments: cloud, IoT, Big Data and containers and also dealing with data sovereignty. And while encryption with local key management remains the top means to protect data in the cloud globally (44%), only 32% in U.S. Federal and 34% in Global Federal choose local key management, while both U.S. and Global Federal show preference for allowing cloud providers to control encryption keys. This is a potential problem since they don’t really have full control over their data if they don’t control the keys, but it also potentially runs afoul of Federal guidelines such as NIST 800-53, FedRAMP and the federal risk management framework which have strong requirements to maintain control over data. And while encryption/tokenization (48%) and authentication (47%) are the top security controls for IoT globally, for U.S. Federal, perimeter/gateway protections between IoT/ICS and IP networks was the top choice (47%).
GOOD NEWS AND BAD NEWS
Like most other sectors, data security spending plans in the U.S. Federal sector are up compared to last year – WAY up. Perhaps more importantly, for the first time, U.S. Federal ranks the highest of any U.S. vertical in terms of spending increase plans – more than 9 out of 10 (93%) plan to increase security spending in 2018, well ahead of the 78% global average and 79% for Global Federal. Further, a whopping 73% in U.S. Federal expect security spending to be ‘much higher’, more than double the 34% global average – only U.S. Healthcare was close at 46% responding ‘much higher’.
The bad news is that reports by U.S. Federal respondents of successful breaches last year (57%) are far ahead of the global average (36%), and also the Global Federal sector (26%). Further, 70% of U.S. Federal respondents say their agencies were breached at some point in the past, slightly ahead of 67% globally.
“Reports by U.S. Federal respondents of successful breaches last year (57%) are far ahead of the global average (36%), and also the Global Federal sector (26%).“
Experienced a databreach in the last year
Experienced a data breachat another time in the past
Failed a compliance audit due to data security issues in the last year
Failed a compliance auditdue to data security issues at
another time in the past
U.S. TotalGlobal U.S. Federal
Data breaches and compliance audits in 2018
0% 10% 20% 30% 40% 50% 60%
67%Global breaches
71%U.S. total breaches
70%U.S. Federal breaches
Experienced a data breach at any time in the past
8 2018 THALES DATA THREAT REPORT • U.S. FEDERAL EDITION8
“More than 9 out of 10 (93%) plan to increase security spending in 2018, well ahead of the 78% global average.”
93%
92018 THALES DATA THREAT REPORT • U.S. FEDERAL EDITION
Given these sobering data, it is not surprising that U.S. Federal respondents lead all other sectors in terms of how vulnerable they feel to potential attacks. While those feeling some degree of vulnerability (89%) is in line with the 90% global average, more than two-thirds in U.S. Federal (68%) report feeling ‘very’ + ‘extremely’ vulnerable, much higher than the 44% global average and 42% for Global Federal.
Despite having the most respondents ranking data-in-motion (78%) and data-at-rest (77%) as ‘very’ or ‘extremely’ effective at stopping data breaches – and the fewest for endpoint/mobile defenses (64%) – U.S. Federal for the first time in our survey has indicated that the most respondents plan to increase spending on endpoint/mobile devices (56% vs. 57% Global and 47% Global Federal). Paradoxically, data-at-rest security is ranked dead last by U.S. Federal in terms of spending plans (19%), and is also ranked the lowest among any vertical or region or the global average (40%) by a wide margin. Global Federal ranks data-at-rest security (35%) closer to the global average in terms of spending plans, but still well below the top two choices, network (48%) and endpoint security (47%).
“More than two-thirds in U.S. Federal (68%) report feeling ‘very’ + ‘extremely’ vulnerable, much higher than the 44% global average and 42% for Global Federal.” U.S. Federal Global FederalGlobal
Levels of enterprise vulnerability to data threats in 2018
Very' + 'extremely'
44%
68%
42%
91% 89% 92%
Total 'vulnerable'
U.S. FederalGlobal
Plans for spending increases in IT security by technology type in 2018
End point and mobile device defenses
Data-in-motion defenses
Analysis andcorrelation tools
Network defenses
Data-at-rest defenses
End point and mobiledevice defenses
Network defenses
Data-in-motion defenses
Data-at-rest defenses
Analysis andcorrelation tools
0% 10% 20% 30% 40% 50% 60%
10 2018 THALES DATA THREAT REPORT • U.S. FEDERAL EDITION
This glaring disconnect between respondents’ actual spending plans compared to their views of what is most effective at stopping breaches is troubling, and may reflect a number of factors, including adherence to traditional spending habits institutional inertia – in other words, ‘old security habits die hard.’ Network security is widely seen as helping little with securing new technologies such as Big Data, containers and cloud.
Another paradox: whereas complexity and concerns about impacts on performance and business process were the top barriers globally for implementing data security – at 43% and 42% respectively – lack of budget was the number one barrier for U.S. Federal (53%), despite the highest security spending plans of any other vertical. These concerns could well reflect the overall Federal IT budget trends, with total actual budgets dropping from $83 billion in 2016 to $76.6 billion in 2017. That said, lack of budget was also the number one data security adoption barrier for Global Federal (52%), followed by complexity (46%), and business/performance impacts (39%.)
U.S. Federal perceived effectiveness of IT security tools in 2018
End point and mobiledevice defenses
Network defenses
Data-in-motion defenses
Data-at-rest defenses
Analysis andcorrelation tools
0% 10% 20% 30% 40% 50% 60% 70% 80%
U.S. FederalGlobal
Lack of budget
Concerns about impacts onperformance and business process
Complexity
Lack of perceived need
Lack of organizationalbuy-in/Low Priority
Lack of staff to manage
Perceived barriers to data security in 2018
0% 10% 20% 30% 40% 50% 60%
“Despite having the most respondents ranking data-in-motion (78%) and data-at-rest (77%) as ‘very’ or ‘extremely’ effective at stopping data breaches – and the fewest for endpoint/mobile defenses (64%) - U.S. Federal for the first time in our survey has indicated that the most respondents plan to increase spending on endpoint/mobile devices (56% vs. 57% Global and 47% Global Federal).”
112018 THALES DATA THREAT REPORT • U.S. FEDERAL EDITION
SECURITY AND SPENDING
The top motivators for security spending among Federal respondents included both avoidance of penalties and implementing best practices (both at 53%), both topping last year’s top choice of executive directive (52%). Both selections were also well above the global averages of 39% and 29%, respectively. Compliance remains a top spending driver (43%) for U.S. Federal respondents – roughly two-thirds in both U.S. Federal (67%) and Global Federal (66%) feel compliance requirements are ‘very’+ ‘extremely effective’ compared to the 64% global average.
20182017
U.S. Federal motivators for security spending
Implementing security best practices
Avoidance of �nancial penalties resulting from a data breach
Compliance requirements
Competitive/strategic concerns
Impact of increased useof cloud computing
Executive directive
Requirements from businesspartners, customers or prospects
Reputation and brand protection
The organization has experienceda data breach in the past
Data breaches at acompetitor or partner
0% 10% 20% 30% 40% 50% 60%
“The top motivators for security spending among Federal respondents included both avoidance of penalties and implementing best practices (both at 53%), both topping last year’s top choice of executive directive (52%).”
11
12 2018 THALES DATA THREAT REPORT • U.S. FEDERAL EDITION
There are big changes afoot among U.S. Federal respondents when it comes to planned increases in data security implementations. In this year’s survey, tokenization topped the list of planned increases at 51% compared with 44% globally and just 37% among global federal respondents (tokenization was top choice for U.S. Federal in 2017 also at 45%). Next is multifactor authentication at 48% vs. 42% at global federal, followed by Bring Your Own Encryption Key (BYOK) at 47% for U.S. Federal respondents vs. 42% for Global Federal. Notably, U.S. Federal had the lowest plans for CASB (30% vs.37% global average and 44% for Global Federal. Global Federal had slightly different priorities, listing SIEM as the top choice (53% vs. 41% global overall) area of increase followed by CASB at 43%.
U.S. FederalGlobal
Planned increases in data security implementations
Tokenization
Multi-factor authentication
Deploy a 3rd party key management orBring Your Own Key (BYOK) encryption
key management solutions for an encryption service offered by a cloud service provider
Security information and event management(SIEM) or other log analysis and analytical tools
Application layer encryption
Hardware Security Modules
Data access monitoring
Data masking
Cloud Access Security Broker (CASB)/Cloud Encryption Gateway
Enable encryption capabilities in acloud services (IaaS, PaaS, SaaS)
Privileged user access management
Database/�le encryption
Data loss prevention (DLP)
Identity and Access Management(Directories, access controls, SSO, etc.)
0% 10% 20% 30% 40% 50% 60%
132018 THALES DATA THREAT REPORT • U.S. FEDERAL EDITION 13
Meeting data sovereignty requirements:
“While the number one global answer to protect personal data was encryption (42%), by a wide margin, with U.S. Federal respondents, utilizing local hosting or cloud providers is the top choice (28%), with encryption in second place at 24%.”
14 2018 THALES DATA THREAT REPORT • U.S. FEDERAL EDITION
DATA SOVEREIGNTY
Given the rising global tide of government surveillance concerns, as well as looming GDPR deadlines coming in May of 2018, data sovereignty continues to be highly topical. Only 10% of U.S. Federal and 15% of Global Federal don’t expect to be impacted by data privacy laws, vs 13% global average. However, there are notable differences among U.S. and Global Federal respondent groups as well as the overall global averages. For example, while the number one global answer to protect personal data was encryption (42%), by a wide margin, with U.S. Federal respondents, utilizing local hosting or cloud providers is the top choice (28%), with encryption in second place at 24% but well below both the global average and 37% for Global Federal and tokenization third (23% for U.S. Federal respondents).
SECURING BIG DATA, SaaS AND IoT
With most all organizations across all verticals actively pursuing multi-cloud strategies, this is even more true for the U.S. Federal sector. For example, while 57% of respondents globally use three or more IaaS providers, and nearly half (45%) of U.S. Federal organizations use more than five IaaS vendors, triple the global average of 15%. Similarly, with respect to PaaS, 46% of U.S. Federal respondents are using more than five PaaS vendors, compared to just 14% globally and a scant 6% of Global Federal respondents. When it comes to SaaS applications, U.S. Federal respondents are equally diversified: nearly half (47%) of U.S. Federal are using more than 100 SaaS apps, more than double the global average of 22%, and well ahead of just 9% for Global Federal. Despite heavy usage, only 28% of U.S. Federal respondents say they are storing sensitive data in SaaS applications, compared to 45% globally.
“With most all organizations across all verticals actively pursuing multi-cloud strategies, this is even more true for the U.S. Federal sector. For example, while 57% of respondents globally use three or more IaaS providers, and nearly half (45%) of U.S. Federal organizations use more than five IaaS vendors, triple the global average of 15%.
Plans for meeting data sovereignty requirements to protect personal data
U.S. Federal 2017 U.S. Federal 2018 Global Federal 2018
We plan to utilize local hosting or cloud providers to remain compliant with data
privacy/sovereignty regulations
We plan to encrypt any personal data we collect or process that is subject to data privacy/sovereignty regulations
We plan to tokenize any personal data we collect or process that is subject to data privacy/sovereignty regulations
We plan to migrate customer data to new locations to remain compliant with
data privacy/sovereignty regulations
Our organization will not be impacted by any local, national or regional data
privacy/sovereignty regulations
0% 10% 20% 30% 40% 50% 60%
“Globally, attacks and breaches at the cloud provider remains the top cloud security concern at 64%, up from 59% last year. With U.S. Federal respondents, however, increased vulnerabilities from shared infrastructure figured as the top concern at 72%.”
152018 THALES DATA THREAT REPORT • U.S. FEDERAL EDITION
CLOUD SECURITY
Globally, attacks and breaches at the cloud provider remains the top cloud security concern at 64%, up from 59% last year. With U.S. Federal respondents, however, increased vulnerabilities from shared infrastructure figured as the top concern at 72%, ahead of 55% for Global Federal respondents, breaches at the cloud provider slipped to third place at 68%. The top concern for Global Federal was custodianship of encryption keys (62% vs. 57% globally and 69% for U.S. Federal).
Lack of visibility into security practices
Custodianship of your encryption keys
Increased vulnerabilities from shared infrastructure
Lack of control over the location ofdata/data residency concerns
Lack of a data privacy policy orprivacy service level agreement
Meeting compliance requirements
Privileged user abuse at the cloud or SaaS vendor(including System Administrators, Cloud Administrators,
Storage Administrators, Virtualization Administrators)
Security breaches/attacks at the service provider
Managing Encryption Keys acrossmultiple cloud environments
Security of my organization's dataif the cloud provider fails or is acquired
Managing, monitoring and deployingmultiple cloud native security tools
Global FederalU.S. Federal
Top cloud security concerns in 2018
0% 10% 20% 30% 40% 50% 60% 70% 80%
16 2018 THALES DATA THREAT REPORT • U.S. FEDERAL EDITION
One potential problem is that less than one-third (30%) of global respondents are implementing encryption in the cloud currently, and this is even more true for the U.S. (23%) and Global (28%) federal sectors. For those that are looking to implement encryption, only by 32% in U.S. Federal and 34% in Global Federal are opting for encryption with local key management, well below the global average of 44%. Further, encryption with the keys managed by service providers was the top answer for U.S. Federal (34%), and Global Federal (46%), which suggests local key management is less of an issue for federal respondents in general.
With the cloud growing in popularity throughout the entire Federal government, and given both the requirements for protecting data as well as documented weaknesses in popular cloud platforms, it is reasonable to question why Federal agencies don’t routinely encrypt more cloud data. Doing so would help agencies align better with existing federal guidelines such as FedRAMP, or others from The National Institute of Standards and Technology (NIST), under the Dept. of Commerce. NIST has promulgated various detailed requirements as well as standards and guidelines such as 800-53, to insure privacy and security controls for Federal data. The goal is to develop common data security foundations to promote safe sharing of data within the Federal government agencies and with various external constituents and the private sector. NIST has also published a risk management framework designed to integrate security and risk management activities into the system development life cycle.
Despite these and other requirements and recommendations, data leaks have occurred. In one recent instance, several classified files from the NSA and the U.S. Army were discovered on a cloud server without any password protection, essentially available to anyone with a URL. The server in question was an unlisted Amazon Web Services S3 cloud storage server of the United States Army Intelligence and Security Command (INSCOM) operating jointly out of the U.S. Army and the NSA. Among the files were some designated “Top Secret.”
BIG DATA
With Big Data adoption mandates for all U.S. Federal agencies implemented by the Obama Administration, securing Big Data environments should be a top concern for U.S. Federal respondents. Globally, the idea that sensitive data may reside anywhere in a Big Data environment (34%) and the security of reports that may contain sensitive data (33%) were the top Big Data security concerns, though privacy violations from data originating in multiple countries tops the list (31%) for U.S. Federal, followed by discovering the location of sensitive data (27%) and security of reports that may include sensitive data (24%).
This year we also added a new question to quantify the top choices for securing Big Data, and for the U.S. Federal, the top choice was the ability to analyze and encrypt/tokenize Big Data coming out on top (34% vs. 30% at Global Federal and 32% overall. Sensitive data discovery and classification was the next most selected option at 32%, while stronger authentication (40%).was the top choice with global federal respondents.
“One potential problem is that less than one-third (30%) of global respondents are implementing encryption in the cloud currently, and this is even more true for the U.S. (23%) and Global (28%) federal sectors.“
172018 THALES DATA THREAT REPORT • U.S. FEDERAL EDITION
IoT
A new question in this year’s survey asked which IoT devices are the most popular. And while power/energy devices were number one globally (33%), security/military devices not surprisingly emerged as the top choice for U.S. Federal respondents (32%), followed by environmental monitoring (24%) and transportation (23%); medical and scientific devices were dead last at 13%.
Medical
Power/Energy
Other Infrastructure
Personal/Wearables
Manufacturing
Scienti�c
Transportation/Automotive
Security/Military
Home/Appliance
Environmental monitoring
Most popular IoT devices for U.S. Federal in 2018
0% 5% 10% 15% 20% 25% 30% 35%
Security of reports that mayinclude sensitive data
Sensitive information may resideanywhere within the environment
Privacy violations from dataoriginating in multiple countries
Privileged user access to protecteddata in the implementation
Lack of effective access controls
Lack of native security frameworks/controls within the Big Data environment
Discovering where sensitive data may be located within a Big Data environment
Data that may not be ‘sensitive’initially may become so after running
a Big Data experiment
Global FederalU.S. FederalGlobal
Top concerns for securing big data in 2018
0% 5% 10% 15% 20% 25% 30% 35% 40%
“For the U.S. Federal, the top choice was the ability to analyze and encrypt/tokenize Big Data coming out on top (34% vs. 30% at Global Federal and 32% overall.”
18 2018 THALES DATA THREAT REPORT • U.S. FEDERAL EDITION
The biggest IoT security concerns both globally (26%) and for U.S. Federal (22%) and Global Federal (28%) were protecting sensitive data generated by an IoT device, followed closely by identifying or discovering sensitive data (21% for both U.S. and Global Federal). What are the top security controls for IoT? While globally the top two answers are encryption/tokenization (48%) and authentication (47%), for U.S. Federal, perimeter/gateway protections between IoT/ICS and IP networks was the top choice (47%) as the key factor in implementing new IoT platforms, comfortably ahead of authentication/secure digital identification of IoT devices (42%) and encryption/tokenization (39%). For Global Federal by comparison, authentication ranked number one (52%) followed by encryption (48%).
DOCKERS/CONTAINERS
With enthusiasm for containers spreading fast as an application deployment technology, 27% of U.S. Federal respondents are already using containers in production applications, with 22% for non-critical applications and 5% for critical applications. Meanwhile, the rankings of security concern are changing: this year the security of data stored in containers ranked number one with U.S. Federal respondents (31%), followed closely by unauthorized access (30%) and then container vulnerabilities (26%). By contrast, unauthorized access was the top concern last year (57%) followed by the spread of malware (45%).
“What are the top security controls for IoT? While globally the top two answers are encryption/tokenization (48%) and authentication (47%), for U.S. Federal, perimeter/gateway protections between IoT/ICS and IP networks was the top choice (47%).”
Protecting sensitive data generated by an IoT device (encryption, tokenization, etc.)
Identifying or discovering data generated by an IoT device that may be sensitive
Lack of security frameworks andcontrols within the IoT environment
Attacks on IoT devices that mayimpact critical operations
Lack of effective access controls/device authentication
No plans to adopt IoT technologies
Privacy violations related todata generated by an IoT device
Privileged user access to IoT devices
Lack of industry standardsfor securing IoT devices
Loss or theft of IoT devices
Lack of skilled personnel toimplement IoT securely
Global FederalU.S. Federal
Biggest IoT security concerns
0% 5% 10% 15% 20% 25% 30% 35%
192018 THALES DATA THREAT REPORT • U.S. FEDERAL EDITION
The top security controls for containers for U.S. Federal respondents include monitoring (42%); vulnerability scanning (37%); and digital signatures (36%), while for Global Federal, anti-malware took the top spot (44%).
THE ‘YIN AND YANG’ OF ARTIFICIAL INTELLIGENCE/ MACHINE LEARNING
Like most security tools, artificial intelligence and machine learning can be used both for beneficial and malicious uses. Vulnerability scanners are a good example – they can be used both by ‘good guys’ to scan their networks for vulnerabilities as part of a pen test, but also by attackers to find a way to infiltrate a network. Thus, we asked a similar question about the impact of AI and ML on security, and found that both are broadly seen as potentially having both positive and negative consequences for security.
U.S. Federal use of containers in 2018
27%
11%
15%22%
5%
20%Evaluating
Testing
In Pilot
In Non-criticalproduction application
In critical production applications
Not currently in plan
“With enthusiasm for containers spreading fast as an application deployment technology, 27% of U.S. Federal respondents are already using containers in production applications, with 22% for non-critical applications and 5% for critical applications.”
Security of data stored in containers
Unauthorized access to containers
Vulnerabilities in container images
Patching/Updating Containers
Lack of trust in container images produced by third parties
Privacy violations fromusing shared resources
Spread of malware among containers
Lack of compliancecerti�cations for containers
Other (please specify)
U.S. Federal ranking of container security concerns in 2018
0% 5% 10% 15% 20% 25% 30% 35%
20 2018 THALES DATA THREAT REPORT • U.S. FEDERAL EDITION
Both federal sectors are much less optimistic about the positive impacts of AI/ML than others – 64% globally see increased data security, but just over half (51%) of U.S. Federal respondents and 54% of Global Federal respondents believe the use of machine language and AI increases security by recognizing previously unrecognizable network anomalies. But at the same time, a full 36% (40% of Global Federal) say increased breaches owing to AI-based hacking tools are also a consequence.
MOBILE PAYMENTS
Another new area of question surrounds the impact and security implications of increased use of mobile payments technologies. U.S. Federal respondents ranked exposure of personal information other than credit card information as the top security concern (40%); followed by hackers using these applications to commit payment fraud (35%). U.S. Federal respondents are far less concerned about exposure of payment card info (27%) than their Global Federal counterparts (40%).
“U.S. Federal respondents are far less concerned about exposure of payment card info (27%) than their Global Federal counterparts (40%).”
Results in increased threats dueto use as a hacking tool
Increases data security byrecognizing and alerting on attacks
Neither
Unsure/no opinion
Global FederalU.S. Federal
Beliefs about the impact of AI and ML on security in 2018
0% 10% 20% 30% 40% 50% 60%
Potential exposure of payment card information
Potential exposure of personally identi�able information (other than payment card info)
Fraudsters using mobile paymentapps for account takeover (ATO)
Fraudsters using mobile paymentapps for new account fraud
Weak authentication protocolsused by mobile payment apps
Weak onboarding/ KYC protocolsused by mobile payment apps
Global FederalU.S. Federal
Top concern of mobile payment technologies in 2018
0% 10% 20% 30% 40% 50%
“(51%) of U.S. Federal respondents and 54% of Global Federal respondents believe the use of machine language and AI increases security by recognizing previously unrecognizable network anomalies.“
BLOCKCHAIN – STILL EARLY, BUT BIG PLANS
Blockchain could be one of the most significant new developments in security in years. And while much of the buzz has been around Bitcoin and cryptocurrencies, blockchain also has applications securing transactions, protecting data and managing identities, to name a few. Though it is still very early for commercial implementations of blockchain, just 8% of respondents globally have no plans to adopt blockchain, with both U.S. Federal and Global Federal higher at 13% and 10%, respectively. U.S. Federal respondents listed financial transactions/secure payments as the top application and use case for blockchain (35%), followed at 28% by the trio of online purchases, protecting customers, and authenticating devices. For global federal, the top blockchain application is user authentication (38%) followed by device authentication (36%).
For �nancial transactions/secure payments
For online purchase transactions
To protect medical records
To protect customer information
To authenticate users
To authenticate devices
No plans to adopt blockchain
U.S. Federal top application and use case for blockchain
0% 5% 10% 15% 20% 25% 30% 35%
“U.S. Federal respondents listed financial transactions/secure payments as the top application and use case for blockchain (35%), followed at 28% by the trio of online purchases, protecting customers, and authenticating devices.”
21
22 2018 THALES DATA THREAT REPORT • U.S. FEDERAL EDITION
RECOMMENDATIONS
RE-PRIORITIZE YOUR IT SECURITY TOOL SET
DISCOVER AND CLASSIFY
DON’T JUST CHECK OFF THE COMPLIANCE BOX
ENCRYPTION AND ACCESS CONTROL
With increasingly porous networks, and expanding use of external resources (SaaS, PaaS and IaaS most especially) traditional end point and network security are no longer suf�cient. When implemented as a part of the initial development (for ease of implementation versus retro�tting at a later date), data security offers increased protection to known and unknown sensitive datafound within advanced technology environments.
Get a better handle on the location of sensitive data, particularly to deal with Big Data, IoT and compliance mandates such as NIST 800-53 and FedRAMP.
U.S. Federal respondents have a high level of faith in compliance mandates. However, federal organizations should consider moving beyond compliance and adopting security tools such as encryption or tokenization that may be more appropriate as new technologies like cloud are increasingly mandated by federal agencies.
Encryption needs to move beyond laptops and desktops. Further, federal practitioners should also deploy encryption solutions that are NIST certi�ed. Keys should also be protected with Common Criteria and FIPS 140-2 Level 3 certi�ed solutions as a best practice.
Cloud: Encrypt and manage keys locally, BYOK is an enabler for enterprise SaaS, PaaS and IaaS use, particularly for those pursuing multi-cloud strategies like the U.S. Federal market.
Multi-cloud: For multi-cloud environments speci�cally, keys should be multi-tenant to achieve maximum separation of duties, highly scalable, with strong audit capabilities for forensics and reporting and also with on-premise options for maximum security.
Big Data: Employ discovery as a complement to encryption and access control within the environment
Containers: Encrypt and control access to data both within containers and underlying data storage locations
IoT: Use secure device ID and authentication, as well as encryption of data at rest on devices, back end systems and in transit to limit data threats
Data Sovereignty: Consider both encryption and tokenization as a way to avoid hefty �nes from violating nascent privacy laws
Mobile payments: Encryption and/or tokenization can also help address the main risk from mobile payments: loss of PII
Blockchain: While it may be early for commercial implementations, blockchain promises to play a big role in terms of securing transactions, authenticating users and securing data from tampering.
232018 THALES DATA THREAT REPORT • U.S. FEDERAL EDITION
ANALYST PROFILE
Garrett Bekker is a Principal Analyst in the Information Security Practice at 451 Research. He brings a unique and diverse background, having viewed enterprise security from a variety of perspectives over the past 15 years. Garrett spent more than 10 years as an equity research analyst at several investment banking firms, including Merrill Lynch, where he was the lead enterprise security analyst, as an investment banker, and also in sales and marketing roles with early-stage enterprise security vendors. Throughout his career, Garrett has focused on a wide variety of subsectors within enterprise security and is now focusing primarily on identity and access management (IAM) and data security, with a special interest in applying the former to cloud-based resources.
ABOUT 451 RESEARCH
451 Research is a preeminent information technology research and advisory company. With a core focus on technology innovation and market disruption, we provide essential insight for leaders of the digital economy. More than 100 analysts and consultants deliver that insight via syndicated research, advisory services and live events to over 1,000 client organizations in North America, Europe and around the world. Founded in 2000 and headquartered in New York, 451 Research is a division of The 451 Group.
ABOUT THALES eSECURITY
Thales eSecurity is the leader in advanced data security solutions and services that deliver trust wherever information is created, shared or stored. We ensure that the data belonging to companies and government entities is both secure and trusted in any environment – on-premise, in the cloud, in data centers or big data environments – without sacrificing business agility. Security doesn’t just reduce risk, it’s an enabler of the digital initiatives that now permeate our daily lives – digital money, e-identities, healthcare, connected cars and with the internet of things (IoT) even household devices. Thales provides everything an organization needs to protect and manage its data, identities and intellectual property and meet regulatory compliance – through encryption, advanced key management, tokenization, privileged user control and high assurance solutions. Security professionals around the globe rely on Thales to confidently accelerate their organization’s digital transformation. Thales eSecurity is part of Thales Group.
Please visit www.thalesesecurity.com and find us on Twitter @thalesesecurity.
PLATINUM PARTNERS – GEOBRIDGE
Established in 1997, GEOBRIDGE emerged as one of the first information security solutions providers to support cryptography and payment applications for payment processors, financial institutions and retail organizations. Today, GEOBRIDGE is a leading information security solutions and compliance provider that provides Cryptography and Key Management, Payment Security , Compliance, and HSM Virtualization solutions and services to our clients. Our client list includes Fortune 500 companies, financial institutions, healthcare organizations and government clients across North America and around the globe. GEOBRIDGE leverages our team’s expertise in data protection, program development, enforcement and governance to help architect solutions to help mitigate risk for our clients.
Garrett Bekker Principal Analyst 451 Research
©2018 Thales
