UDS mitigates two major cyber security issues: Data breaches and data tampering.
For businesses, data loss means financial and reputation damage. IBM reports that a data breach costs $4.24m on average globally. When the government loses data, the damage could lead to more severe outcomes, and lives could be lost.
Data tampering can have an ever more negative consequential impact than data loss. Its stealthy nature makes it harder to detect and prevent. The result can lead to disinformation and disruption to public services if critical infrastructure operators are the target.
The SolarWinds attack and the attack on the Colonial Pipeline revealed the fragile state of data security and our dependency on it.
Furthermore, UDS mitigates the challenge of compliance with data privacy laws like GDPR and HIPAA. UDS achieves this by providing persistent assurance of data security and integrity. It provides cyber resiliency when under attack.
The big difference is the persistent assurance of data security provided by UDS, where Zero Trust Architecture falls short.
Zero Trust Architecture, or ZTA, is designed to control access to devices and provides data protection simply by association with the devices. If cybercriminals can breach devices, they will be able to steal all the data on the breached devices, which worsens the problem. This breach-device-to-steal-data tactic happens in almost all data breaches.
Researchers at Gartner now believe ZTA will not mitigate more than half of the attacks; similarly, IBM found businesses with mutual ZTA implementation lost $3.2m in a data breach on average.
ZTA is no silver bullet.
UDS is a perfect complement to ZTA by providing an independent layer of protection for data. If organizations deployed UDS, it would persistently protect the data on breached devices and prevent data loss.
Businesses will need UDS to provide persistent assurance of data safety.
Cloud storage stores data as objects on the cloud. It automatically encrypts the data in the storage and sends only the decrypted data to the authenticated users. Although an extra layer of encryption does not hurt, transparent decryption doesn’t provide the needed protection.
Cloud storage encryption is intended to protect against data breaches after attackers broke into the cloud storage environment. One example of such attacks happened to GoDaddy’s web hosting service which went on for over 3 years before being detected in 2023. It doesn’t protect data when attacks come from the user’s environment. If attackers were able to use stolen credentials or explore misconfigurations to steal data from the cloud storages, the stolen data will be unencrypted due to the transparent encryption design which results in a data breach.
Let’s take a look at the other weaknesses of cloud data storage.
First, access control is enforced only when the user is authorized to access the bucket through authentication. Once granted access, the user can access and download all the data in the bucket, and cloud encryption no longer protects the data. That is the primary reason why an impersonation attack or a single misconfiguration can lead to a massive data breach, resulting in the loss of every file in the bucket.
Second, users must download the data to their local device to access it. When a user opens a file from the cloud storage, his browser downloads the file in clear text and stores it on the local device for an extended time in a temporary file folder. The cleared text data creates a new attack surface.
But if the breached bucket stores only APFX data, the local data would be protected by the persistent encryption from UDS, and therefore no new attack surfaces are created. The attacker has to request access to UDS for every data, a process that will effectively stop the breach with very little data at risk.
Finally, as much as we, as human beings, believe in our ability to do the right thing, almost every data breach involves some human error: failing to patch in time, making mistakes in configurations or processes, or being victims of phishing or social engineering attacks, etc. UDS is here to prevent human errors, whatever they may be, from creating a bigger disaster.
Short version: UDS enforces access control on every file. No one else does.
During the data discovery process, UDS discovers data, enriches the data with appropriate tags, and then transforms the data into an APFX format that contains only encrypted data to replace the original clear data. Whenever users want to access APFX data, they need to request permission from UDS for each one of them every time. Although it may sound complicated, UDS can process requests in less than a second because of its efficiency, so users would barely notice the delay.
Now assume attackers have breached a business network and stolen valid user credentials. The attackers would like to exfiltrate the files but can access none of them since all the APFX files are encrypted. Most likely they would abandon the effort. If the attackers use the stolen credential to access the encrypted data, the access control process at UDS would detect the excessive number of requests from the user in a short period and determine that to be a departure from the usual pattern. A security alert would be issued to admins while the user’s access requests are denied.
In the worst case, a small number of files could be potentially breached. But since the attackers can’t scan the content of each file and therefore cannot select data to attempt to open first, it minimizes the chance of losing critical data. Businesses can also implement advanced features, including classified data access control, to reduce the chances of data breaches even further.
UDS stores only the meta-data of each APFX file and data access history. The UDS client app only encrypts and decrypt data. It does not send a copy or any part of the data to the UDS cloud. UDS cloud stores and uses only meta-data to determine access rights.