Why Today’s Data Security Is Not Very Secure?
Data breaches are a regular––expensive and embarrassing––part of the current tech industry. IBM estimates the average data breach cost at more than $4M, not including damage to public reputation and client relations. The root of this problem lies in popular approaches to data protection. Virtually all systems (even the most advanced systems that utilize trusted execution environments like SGX) protect data with software. As a result, to protect data we must prevent software hacking––a task that remains an eternally unsolved challenge in the security community.
Software hacking occurs when clever attackers identify vulnerabilities (often in the form of bugs) in software that allow sinister exploits to step around the security defenses deployed on systems. A closely related, but equally important, form of hacking is side channels. Side channels occur in the observable characteristics (e.g., run time) of software and hardware, revealing sensitive data inside an application. In today’s systems, if you cannot stop software hacking and side channels, you cannot protect data.
Why Not Put a Stop to Hacking?
A vast majority of the security industry is focused on software hacking. To stop software hacking, security professionals attempt to identify and fix all of the bugs in a program. This approach is often called “Patch and Pray” because finding all bugs is essentially impossible. If you ask a programmer if there exists any software without bugs, they will most likely say “No.” Software is simply too complex, too rapidly evolving, and too intractable to lend itself to any form of high-precision “bug hunting.” More often than not, the odds of a software hack favor the attacker.
Further, even if organizations could find and fix all software bugs, they would still be susceptible to side channel attacks, which simply observe the operation of software and hardware to infer their secrets. Sophisticated and well-meaning developers can easily write completely bug-free code that is riddled with side channels, allowing any listening attacker to quickly understand the secrets within the software.