RISK MITIGATION STRATEGIES
Any online transaction results in a state of benefit and risk – this is the very nature of commerce of data, and unfortunately, is something that can never be truly erased. Whenever a payment is processed, whenever personal data is utilized, whenever a person logs into a platform, they are fundamentally exposing themselves and the resources they’ve used.
This simple reality is the unfortunate truth of data processing – you cannot rid any system of it. What you can do, however, is mitigate the potential damage that such an intrusion of system or privacy can do, both to the data provider and to the user at large.
In this piece, we’re going to do exactly that. We’ll look at some of the risks that are taken on by data providers and processors, as well as the risks inherent to users in this paradigm. We’ll take a look at some of the risk mitigation strategies that providers can implement to protect both themselves and others and what these really look like in the greater systems which utilize them.
Mitigation vs. Solution
Before we get too deep into this, we do need to differentiate between mitigation and solution. When mitigation is talked about, it’s often referred to as if it’s a one-stop, be-all-end-all. Unfortunately, that’s not what mitigation is – mitigation is simply the reduction in possible damage, not the elimination.
Throughout this piece, we’re going to talk heavily about mitigation, but this must be kept in mind. In theory, no one process or collection of processes can ever entirely nullify damage from a risk – all it can do is reduce the potential for damage from a risk, and in doing so, bring it as close to zero as possible. Sometimes it might actually zero out, but all that is occurring is a reduction in impact, not prevention of the threat.
This is important to remember as considering a threat “solved” when it is actually “mitigated” leads very easily to complacency, and complacency only opens you up to more damage in the eventuality of a breach.
Risks to Providers
While the actual number of risks to providers is almost impossible to enumerate, we can list a few major ones here, and give suggestions on how to deal with them.
DDoS and Hardware Limitations
DDoS, or Distributed Denial of Service, is a huge issue. Flooding servers with traffic, legitimate or not, can have an adverse effect on performance network-wide, and when this traffic is paired with multiple concurrent streams of malicious traffic, the effect is even more noticeable. This can adversely affect the availability of resources to the user attempting to utilize resources and can result in failure of the system in general.
Legal Responsibilities
When dealing with data, the legal complications of improper data destruction, non-notification of data collection, and even simple insecurity of data can come with serious legal repercussions. These repercussions can amount all the way to punishment for negligence.
There is also the fact that, for many data providers, you might be handling data that is otherwise illegal per the laws of the area in which they collected it. Cloud computing might be used for nefarious purposes, storage space used for illicit content, and more.
Punitive Economics
Speaking of legal issues, these legal issues often bring with them a set of economic issues. Failing to follow the specific data generation, storage, and deletion laws carry with them heavy fines and limitations on business that can be punishing.
The economic problems don’t stop here, either. Failed servers mean no uptime, and no uptime means no business. Preventing downtime is a chief concern, and needs to be addressed as part of a greater mitigation strategy.
Mitigation Strategies
Load Balancing and Heuristic Traffic Handling
The best mitigation strategy here is to simply adopt load balancing. By using hardware able to balance traffic across multiple servers and nodes, this malicious traffic can be negated. Additionally, adopting heuristic solutions capable of detecting malicious traffic and deprioritizing said traffic is an equally effective solution.
Keep in mind that many issues stem from improper load balancing, and so while this seems to be one of the mitigation strategies of a technical nature, it’s actually related to many of them. Ensuring high uptime, preventing buffer issues, and more can all be done through proper load balancing and heuristic analysis.
Legal Compliance
EU GDPR and other data privacy laws are the main driving concern here, and as such, adhering to these regulations as a matter of business is the best approach. Ensuring that you not only meet these requirements but in some cases exceed them, can ensure that you meet the baseline requirements while positioning yourself in a way to absorb any additional regulations.
Economic Protection
When considering the economic issues at play here, the main mitigation strategy would be to prevent the issue from ever arising. First and foremost, servers must be up and usable. This means failover clusters, backup systems, and traffic routing are all viable solutions.
Of course, solving this at the base level also means a solution to all of the issues that arise from it. For instance, losing server connectivity and allowing a breach of privacy was one of the things that led to Sony paying massive amounts of money to its user base. Not only did they payout in the form of free content, but they also lost brand trust, and because of that, they had to amp up their social advertising and try and recoup.
In the same way, mitigating these issues at the lower level means that these situations shouldn’t arrive, and in the long run, you are actually mitigating further economic issues by simply mitigating the first.
Data Erasure
The best way you can mitigate threats to your data is to simply hold on to data only as long as it’s needed. Once data is no longer needed, it should be permanently erased. We’re not talking simple deletion here, either – we’re talking full data erasure, a complete overwriting of data on the hard drive.
Solutions like ClaraWipe can definitely help in this space, covering data erasure from a variety of complex points of view. Erasing data completely requires utilizing a variety of powerful patterns and techniques, but in the long run, will result in more secure data systems.
More to the point, limiting both scope and lifetime of data can have an equally powerful effect. Ensuring that the data you are holding on to is within the scope of data you need can reduce your overall attack vector, and can make breaches less damning. Proper encryption can likewise mitigate much of the damage that may arise, but as more data is collected, encryption becomes less of a powerhouse.