Inconsistent Data Security Controls: When the Same Data Is Both Encrypted and Exposed

May 9, 2023
May 15, 2024
Cyera Research
Inconsistent Data Security Controls: When the Same Data Is Both Encrypted and Exposed

What are the odds of a company experiencing a data breach? According to one source, if you’re part of the Fortune 1000, then the likelihood that your company has had a data breach in the past decade is over 60%. And, those numbers only consider the incidents that were publicized. 

For large organizations with valuable data, the question becomes not IF your data will be breached, but WHEN. To minimize the blast radius of a data breach and the subsequent regulatory fines, brand damage, and revenue impact, data defenders apply a variety of security controls to their data. This includes limiting who has access and what they can see. 

While implementing data security controls can limit the damage of a data breach, the controls themselves are often not applied consistently to data. 

Cyera’s security researchers examined cloud environments operated by different organizations, uncovering inconsistencies in how data security controls were applied. 

Inconsistent role-based access controls

Role-based access control (RBAC) authorizes and limits access to data based on a user’s role. 

In this scenario, the role has access to Table A and Table B. Both tables contain social security numbers, a highly restricted data class. In Table A, social security numbers are masked at the column-level. In Table B, social security numbers are exposed as plaintext. 

Visual of a single role with access to two tables, both containing SSN

How does this happen? The security team intended to restrict business users from seeing social security numbers in plaintext format, no matter where social security numbers reside. They’ve applied a masking policy that covers certain datasets but missed unknown datasets, not properly inventoried and governed by the organization. 

Inconsistent dynamic data masking

Data warehouses including Snowflake, Azure Synapse, AWS RedShift, and Google BigQuery support dynamic data masking. This feature enables data to be stored in plaintext, but masked at query time. With dynamic data masking, users can freely run queries but see selective data in a masked format. 

In this scenario, dynamic data masking was applied to select data classes, but not consistently within the same query results. We see that the person’s name and account number are masked. However, the same person’s name and account number are exposed in plaintext within a JSON object. 

How does this happen? Data engineers store JSON objects in a database because those objects provide valuable uses including logging certain actions, storing permissions and configurations, avoiding slow performance for highly nested data or informing data analysts about what data is available for analysis. But the same risk exists in each of these cases–exposing sensitive data that many discovery and classification tools cannot see.

Query results in a data warehouse showing a single row of information

Leverage Cyera to audit data security controls

The sampled environments belonged to organizations that applied security controls with legacy tools available in the market. As a consequence, there were no good ways of knowing how effective those implementations were. That is, until they’ve adopted a cloud-native, data security platform, allowing them to see:

  • What sensitive data classes were exposed
  • Where the sensitive data was located, including the data they didn’t know about 
  • What access levels were in place
  • And what obfuscation methods (encrypted, hashed, tokenized, etc) were used or missing

Cyera’s data security platform provides deep context on your data, applying correct, continuous controls to assure cyber-resilience and compliance.

Cyera takes a data-centric approach to security, assessing the exposure to your data at rest and in use and applying multiple layers of defense. Because Cyera applies deep data context holistically across your data landscape, we are the only solution that can empower security teams to know where their data is, what exposes it to risk, and take immediate action to remediate exposures and assure compliance without disrupting the business. 

To learn more about how you can audit the effectiveness of your data security controls, schedule a demo today.