Abstract:
As we approach the conclusion of 2019, Scott Sinclair reflects on the current state of data storage technology and tries to forecast what’s next for the market in 2020.
Insight
-
-
The California Consumer Privacy Act is a landmark piece of consumer privacy legislation which passed into California law on June 28th of 2018. The bill is also known as AB 375. This Act is the strongest privacy legislation enacted in any state, giving more power to consumers with regards to their private data.
I sat down with my friends Dave Littman from Truth In IT and Steve Catanzano who works with us at Enterprise Strategy Group to discuss this new regulation.
These are some excerpts of our fist discussion on the topic, which you can find here.
CCPA is not really like GDPR in many ways, but it has a lot of similarities which really focus on the privacy and the ability for individuals to understand what data is actually owned by the various vendors and the various companies they deal with. So really this is about the extension of “natural rights” as a human being.
Now you have the right to your data, to know where it is, what it is, etc. The regulation is a landmark regulation in the U.S. We’re going to see a lot more in other states. It does inspire itself from GDPR. Like GDPR, the European privacy act, California Consumer Privacy Act may be the beginning of stricter U.S. consumer privacy protections.
CCPA is really about protecting the consumer. It gives them a lot more control over what data has been collected on them, what data is processed, what data is shared, and what data is sold. As a consumer I now have more rights to figure out where my data is and who has it, and some rights even have it altered or removed if I think it’s inappropriately being held by someone. And then on the other side of it is the corporate side, which is now being forced to make sure they have policies and procedures in place to make sure they’re treating data the way that they need to.
The regulation specifically calls for conspicuous annotations on webpages. And there are some interesting twists because in this case, it specifically puts parameters around the size of the business in how many customer or individual contacts it has. It’s also very, very wide in its description of what makes up the type of privacy or private data that could be affected.
If you think for a second about those larger organizations and how much data they actually have on individuals, the question is, do they know exactly what they have, where it is, and whether it’s protected in a way that makes sense for their organization, their own compliance, and for the CCPA compliance? They still have some very specific requirements around security, around access, etc. In the end, you’re going to see a lot of organizations scrambling to support it. And, of course you’ll get those emails; you’ll get the visible things on the websites. But that’s just the tip of the iceberg. The real story is about the data and where that data lives.
This is something that affects both your primary systems that you have in place and all these while there’s all your backup systems and your dev/ops systems. Tools like data masking are going to become more important for companies to make sure that internally, when they’re sharing data, teams aren’t seeing personal and confidential information from anyone who’s a customer of theirs. It’s really critical.
So data intelligence is something that’s really growing. This is forcing that issue a bit further for companies to really start thinking about what are our policies, what are our procedures, how we’re treating data and using it intelligently, etc. So it’s not just for this regulation, but it goes much broader than that. And the days of just storing data and terabytes of data and not ever really looking at the data and understanding what the value is are going away. You can now have the tools in place to really be intelligent about what they’re storing, how they’re storing, and how they’re protecting it. This pushes the issue a little further on personal privacy. It’s good for the industry overall.
To learn more, download my free Brief on the subject:
-
The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. Often compared to GDPR, CCPA protects consumers from mismanagement of their personal data and gives them control over what data is collected, processed, shared, or sold by companies doing business in California.
The act represents one of the most sweeping acts of legislation enacted by a U.S. state to bolster consumer privacy. Like GDPR, the European privacy act, the California Consumer Privacy Act may be the beginning of stricter U.S. consumer privacy protections.
-
This Master Survey Results presentation focuses on the fundamental changes to application architecture and the infrastructure platforms that host them, as well as their impact on existing cybersecurity technologies and the traditional approaches to securing business-critical applications.
-
The set of announcements at AWS’s annual re:Invent is always impressive, albeit a bit of a firehose for which AWS’s own Amazon Kinesis data streaming processing engine would be helpful. At last week’s AWS re:Invent, a seminal annual IT event only AWS can get away with scheduling the week after Thanksgiving, the company announced a number of important security capabilities, some small, some big, all customer-driven. Thematically, in addition to a clear focus on identity and access management features designed to help customers rein in their AWS identities and secure S3 buckets, AWS is clearly focused on enabling enterprise-class use cases. (more…) -
AWS re:Invent 2019 has come and gone. The event was full of announcements, people (the entire Las Vegas strip was taken over by 65,000), and fun. Many announcements were shared prior to the event, but in a 3-hour marathon keynote, AWS CEO Andy Jassy shared more…and more….and more. And he did it all without saying “multi-cloud” or “hybrid cloud,” the latter being most impressive since, well, Outposts. Focusing on analytics, databases, and AI, here are some of my key takeaways.
-
2019 was a year of contrasts for backup and recovery but also confirmed the great health and growth potential in this market. It is, however, at the cusp of a critical change, one that will see vendors pivot to expanded capabilities and new use cases. Those who don’t invest in these new capabilities (organically or through acquisitions) will enter a phase of slow decline, which may not be immediately evident but that will be hard to reverse. More on this in the predictions section. -
The Enterprise Strategy Group cybersecurity analyst team got together recently to discuss our top predictions for 2020. This brief details our predictions in three categories: threats, technology, and the cybersecurity community (i.e., cybersecurity professionals and the industry at large).
For more information or to discuss these findings with an analyst, please contact us.
-
Getting Email Security Right Is More Important than Ever BeforeWith business email compromise racking up some of the largest financial theft associated with cyber-crime, and the relentless use of phishing as a means to trick users into handing over user credentials and other personal and sensitive data to bad actors, security organizations need to take a hard look at how their email security solutions are protecting against these issues.
Between the move to cloud-delivered email solutions and the general belief that email security has become commoditized, few are prioritizing email security as a top investment priority for the coming year. Yet there’s a ton of innovation happening in email security to help fight phishing, business email compromise (BEC) attacks, and leakage of the sensitive data that lives within the vast array of email mailboxes.
Email Continues as the Lifeblood of Communications
As much as I’d like to say that email plays less of a role in today’s business communications, it continues to be the lifeblood of daily communications for most workers. In addition to communication, most workers use email as their “uber-filing-system,” packing away emails received and sent, with little regard for any sensitive data that exists within them. Further, email addresses often act as core identifiers that get reused to access multiple applications, with 63% of ESG research respondents reporting that they use the same password to access multiple work devices and/or applications.
Traditional Email Security
For a long time, email security was about preventing the transport of malware, as attackers leveraged email to trick users into executing various types of malware attachments to compromise an endpoint. While secure email gateways (SEGs) are commonplace to prevent these kinds of attacks, SEGs often lack the ability to protect against more advanced, modern, email-borne attacks.
Email-borne Threats
Over the past few years, new types of harder-to-identify threats have emerged, continuing to leverage techniques that fool workers, convincing them to open malicious attachments, click on malicious links, and carry out malicious actions as instructed by impersonated senders. These activities facilitate credential theft, PII theft, and the fraudulent transfer of money into the hands of criminals.
Modern email-borne threats are facilitated by:
- Malware payloads/attachments – leading to ransomware delivery and botnet drone delivery, and used as an entry for more complex attacks that start with simple reconnaissance and lateral movement.
- Phishing attacks – leading to credential theft, PII theft, and business email compromise. Most include spoofed urls leading to fake copycat sites that capture credentials and other sensitive data (especially popular with Microsoft O365, Exchange, and OneDrive). Once stolen, credentials are often used in botnet-driven credential stuffing/replay attacks, counting on the reuse of the same username and password for multiple applications or websites.
- Impersonation attacks (sender spoofing)
- Impersonation of third-party, popular services like Dropbox, Office365, and others often catch people off guard. These attacks can involve multiple, related emails, in the form of a campaign, used to establish trust, but ultimately are used for phishing, BEC, or other fraudulent activities.
- Business email compromise
- BEC is often comprised of highly targeted, multi-step deceit, beginning with credential theft to provide context for criminals as they orchestrate believable conversations that ultimately lead to the fraudulent transfer of money and/or assets. Impersonating supply chain vendors is common here, as the transfer of large sums of money are commonplace.
- Sensitive data leakage (intentional and unintentional)
- Intentional – Typically includes the theft of intellectual property and other sensitive data. Email is often used as the transport, forwarding company emails to personal email accounts.
- Unintentional – Email clients make it easy to misaddress emails that result in sending sensitive data to the wrong person. Also commonplace is accidentally sending the wrong attachment that may include sensitive data.
- Credential theft – When credentials are stolen, impostors gain access to email accounts where they can search for and easily exfiltrate sensitive data by forwarding or auto-forwarding emails to other locations.
New Email Security Options
Fortunately, new security solutions are rapidly becoming available that monitor for behaviors that align with these modern attacks. The use of natural language processing is enabling security solutions to track expected communications and content behaviors, warning or stopping malicious activities. Email sender verification using DMARC, DKIM, and SPF are helping organizations limit impersonation attacks.
Next-gen email solutions from emerging security vendors like Valimail, Greathorn, Armorblox, and Abnormal Security together with market leaders like Mimecast, Proofpoint, Fortinet, Cisco, Symantec, and Trend Micro are leveraging these approaches to strengthen email security to protect against these plaguing email threats.
The threat landscape associated with email is rapidly changing, so security teams need to pay close attention to ensure that their email security solutions can keep up. Don’t assume that your current SEG has you covered. Help is out there but focus and attention to this evolving threat vector is required.
-
This enterprise storage market data covers current and future trends for:
- Data storage infrastructure
- Applications and data value
- Flash storage and NVMe
- Software-defined storage
- Public cloud and hybrid cloud storage
-
This cybersecurity market data covers:
- The cybersecurity services landscape
- Recent services engagements
- Purchase processes and considerations
-
This Enterprise Strategy Group Brief will review some key predictions for 2020 in the artificial intelligence space, from skills gaps and actionable AI to chatbots and natural language processing.
For more information or to discuss these findings with an analyst, please contact us.
The set of announcements at AWS’s annual re:Invent is always impressive, albeit a bit of a firehose for which AWS’s own Amazon Kinesis data streaming processing engine would be helpful. At last week’s AWS re:Invent, a seminal annual IT event only AWS can get away with scheduling the week after Thanksgiving, the company announced a number of important security capabilities, some small, some big, all customer-driven. Thematically, in addition to a clear focus on identity and access management features designed to help customers rein in their AWS identities and secure S3 buckets, AWS is clearly focused on enabling enterprise-class use cases. 
2019 was a year of contrasts for backup and recovery but also confirmed the great health and growth potential in this market. It is, however, at the cusp of a critical change, one that will see vendors pivot to expanded capabilities and new use cases. Those who don’t invest in these new capabilities (organically or through acquisitions) will enter a phase of slow decline, which may not be immediately evident but that will be hard to reverse. More on this in the predictions section.
Getting Email Security Right Is More Important than Ever Before