Providing real protection of customer data begins with the acceptance that there is no surefire way to prevent breaches.
Such is the thinking behind technology provided by CloudMask, an Ottawa-based IT security company that protects data even in the event of a breach.
“Nobody can claim that they can prevent hackers. You see it every day: governments, banks… even the Canada Revenue Agency was hacked three times in the last two or three months,” said Wael Aggan, the CEO of CloudMask. “The question is, ‘How can I protect myself when my adversaries are much stronger than me?’ That is the big dilemma.”
Instead of trying to prevent data breaches entirely, which is widely accepted as an impossibility, products like CloudMask’s Tokenization Technology make data illegible to hackers, so that even if data is stolen, it is rendered useless.
“I’m not preventing the attackers from reaching my data, but I will mask the data in a way that it is worthless, even if it has been taken by hackers,” said Aggan. “It’s like shredding your documents, mixing it with other shredded documents, and putting it in the middle of the street. Nobody can understand it, you’re the only one who can take this shredded document and put it back into a clear format.”
The number of data breaches in Canada vary, but Bill S-4, also known as the Digital Privacy Act, now requires Canadian companies to report incidents as of June 18th. One doesn’t need to look very far, however, to find reports of data breaches at major Canadian companies, government institutions and banks.
Aggan explains that breaches have become more severe and frequent since the introduction of cloud computing, which put massive amounts of sensitive data in a single location, creating high value targets for hackers.
“In 2000 the largest credit card theft was 30,000 records,” he said. “Now we are talking about 30 million and 40 million.”
Furthermore, few cloud-based technology systems account for what is perhaps one of the most overlooked sources of malicious behaviour, those that come from inside the organization itself. Most security systems work by way of implicit trust, but Aggan believes that organizations are often too trusting of their employees. That is why CloudMask’s Tokenization Technology requires explicit consent before unscrambling information.
“I can guarantee you, without a doubt, that there are hackers today inside governments, and they have no idea about it,” he said. “If you’re using our technology, your system administrator can deal with the data, however they cannot see the data.”
CloudMask, which only launched 10 months ago, recently started working with Allstream.
“Allstream has a very good offer on the IP side, securing the network, which is something that’s very important,” said Agaan. “But if you add securing the data sitting inside the network, you are providing your customer with significant competitive advantage, risk avoidance and risk mitigation, because the data itself is secure within the organization, not just the perimeter.”