Join our Waitlist for Expert Advice!

The Equifax Data Breach Shows the Limitations of How Our Data is Stored Desktop, mobile and internet of things systems are a growing part of our life, and we must be 100 percent confident that the convenience they deliver is secure.

By George Avetisov Edited by Dan Bova

Opinions expressed by Entrepreneur contributors are their own.

Shutterstock

Equifax has now joined the growing list of mass credentials breaches that erode the trust we instinctively place in the service providers we rely on to access our connected world. Desktop, mobile and internet of things (IoT) systems are a growing part of our life, and we must be 100 percent confident that the convenience they deliver is secure.

If you remember the U.S. Office of Personnel, LinkedIn, Yahoo and now Equifax data breaches, one of the major things they share is the centralization of sensitive customer data.

Related: Equifax Breach Potentially Impacts 143 Million U.S. Consumers

The cost of how to balance security and usability always drives how enterprises manage identity, and the way they store customer data. Marketing intelligence may improve a service, but relying on centralized databases remains an Achilles' heel whose mark seems to get hit too often.

Using a centralized authentication model, a user logs in with a PIN, password or biometric template that is matched against a library of all users' information. This is the most common way enterprises manage identity. The biggest risk is that having to store all that personalized data means it has to be secured. Any central server containing such a large repository of information naturally becomes a target for hackers.

Making the shift from a centralized approach

Decentralized authentication inverts the process and provides a vastly more secure option for both the enterprise and the user. Instead, information is matched against an encrypted template locally stored on a user's device. That sensitive personal information is never transferred or stored. Instead the enterprise service provider only receives a "token" consisting of a random numeric string that assures the user is who they say they are. The enterprise, in turn, bears less risk of holding sensitive information.

Related: Cybercriminals Are Targeting Small Businesses That Don't Take Cybersecurity Seriously

Decentralized authentication places the power to manage one's identity back in the hands of those to whom it belongs, its owners. It also greatly modernizes the enterprise landscape and disrupts the hacker business model of exploiting large payloads of credentials to sell on the dark web. Forcing a hacker to go from device, to device, to device in the hopes of obtaining one user's credentials is a completely un-scalable economic model.

Moving to the decentralized model will greatly reduce the potential of a mass credentials breach like Equifax, Yahoo, Home Depot and the U.S. Office of Personnel. While not every solution is guaranteed, a fundamental shift in the authentication model can truly keep valuable information like personal credentials from walking out the door.

Why Equifax was unprepared for a breach

As for further details on Equifax, it looks like the attack was most likely due to an unpatched version of the open-source Struts web application framework, which enterprises use for creating web applications. A vulnerability was identified in this framework several years ago and fixed, but it doesn't look like Equifax applied that fix to its web application. Enterprises must do better to ensure their security practices include simple, but regular maintenance and timely updates of third-party libraries. Additional layers of security should also be deployed for web applications where proper separation of concerns is implemented. Subsets of critical data should only be made available to any particular web application service.

Related: The Simple Trick to Making an Easy-to-Remember and Nearly Impossible-to-Hack Password

Furthermore, continuous monitoring needs to be the norm for security critical systems where remediation actions are automated. The attempt to suddenly export millions of data records should have been flagged and acted upon automatically to prevent such an attack, regardless of the fact that Equifax was using an un-patched version of the Struts framework. The Equifax hackers exported millions of user records in a very short period of time. Accessing such a large number of records is probably not a very uncommon event within that application. Therefore, it should have been flagged and automatically prevented by the firm's security tools (if it had them).

Proactive security solutions means rethinking the whole vulnerability model. A proper solution combines the most innovative, if unconventional, ways of approaching how services are provided, and the automation that comes from monitoring them. If enterprises like Equifax don't want to lose data that they don't have to hold, they need to work to ensure they no longer hold it. There's a better way to secure our connected world than having to hold information whose loss might harm the economy, individuals and our trust in the technology landscape we all love. It's a trend one would rather see, than hear about another mass credentials breach.

Related Video: A Genius Former Hacker Explains How to Keep Your Business Safe From Cyber Attacks

George Avetisov

CEO and co-founder of HYPR Corp.

George Avetisov is the CEO and co-founder of HYPR Corp., provider of secure and decentralized biometric authentication for the internet of things. As a repeat entrepreneur, Avetisov has focused on ecommerce security, specializing in fraud and identity for a decade.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Editor's Pick

Starting a Business

She Started a Business With $300 After Getting Laid Off. It Made $300,000 in Year 1 and Became a Multimillion-Dollar Company.

Bobbie Racette wanted to revamp the virtual assistance space — and provide job opportunities for underrepresented communities at the same time.

Real Estate

How Property Management Software Can Help Landlords Increase Their Revenue and Avoid 'Nightmare' Tenants

Find out how modern property management software can make your life easier (and boost your bottom line) by helping you identify and avoid "nightmare" tenants.

Leadership

He Raced at 330 MPH Before Taking Over the Family Business — Here's What Being in the Driver's Seat Taught Him About Leadership

Morgan Lucas, former professional drag racer, talks about getting behind the wheel of Lucas Oil as its new CEO.

Thought Leaders

Own Your Expertise — 13 Ways to Elevate Your Thought Leadership

Here's how to elevate your expertise and leverage your knowledge to become a trusted authority and visionary in your specific area.

Franchise

McDonald's Launched a Happy Meal for the 30th Anniversary of a Classic '90s Sitcom — But There's a Catch

The promotion is only available in one country, so fans elsewhere are turning to resale platforms like eBay to buy the collectible toys.

Business News

'Not Yet Fully Autonomous': Tesla's Optimus Robots Stole the Show — But Were They Actually Controlled By Humans?

Musk said the $20,000 to $30,000 robot could perform household tasks like mowing lawns and putting away groceries.