Data Security: The Morphing of Software Piracy

Eric J. Bruno

(This updated article is based on an earlier version that appeared on Smart Enterprise Exchange in 2011, which is no longer available)

With Software-as-a-Service and other cloud-based software and services growing in usage, you would think software piracy is on the decline. However, IDC estimated that software piracy cost the industry $51 Billion in 2009, $114 Billion in 2013, and $491 Billion in 2014. This represents an enormous loss of revenue for software companies and to the people that make their living designing, creating, and supporting them. Turn this around, and there’s huge potential for job growth as people are required to maintain and support legitimate software installations.

On the surface, this trend highlights the need to move to the cloud and SaaS as soon as possible. But if you dig deeper, you realize this trend could open the door to a new form of piracy: theft of data and services that relate to the applications running in the cloud. Theft of data is something we’re all too familiar with, including the recent Target and Home Depot credit card data heists, JPMorgan Chase customer data breach, and the now infamous Sony Hack.

As for theft of services, this happens as well. In 2010, Oracle was awareded $1.3Billion in damages against TomorrowNow, who illegally downloaded online support material for Oracle products. In this case, it wasn't the software itself that was pirated, but revenue associated with software support. With so much at stake in terms of lost revenue, lost jobs, as well as legal liability, it’s important to ensure the safety of your software, its services, and your users’ data.

Architecting A Global Defense

You need to think creatively about what other forms of piracy you may be exposed to. Will security holes allow your data to be stolen—representing loss of IP and value to your company—or is customer information at risk, representing potentially crippling liability? You need to think and plan for the potential impact of piracy and theft in all forms. For instance, data breaches not only offer monetary rewards to thieves in terms of the value of the data, but also in the form of digital terrorism as the data can be held for ransom. Even worse, stolen data can also be used to manipulate the market by negatively impacting a company's reputation. The last two were seen in the recent Sony Hack.

I would argue that everyone is affected by piracy and theft. Software companies and cloud providers both play critical roles to ensure technology is used to fight this digital battle. Security needs to be architected into modern software at multiple levels:

1. Application architecture: application developers need to build in proactive security measures aimed at not only preventing breaches, but to identify breaches and limit their damage as soon as they occur.
2. Network architecture: the cloud, platform choices, global distribution of services, and layers of abstraction offer enough obfuscation to thwart intrusion.
3. Data architecture: design for encryption, keep your data within your private cloud if possible, and leverage a hybrid cloud approach for SaaS and other cloud solutions.
4. Directional Authentication: having your users come from a single, known source of authentication or clearinghouse reduces the chances of intrusion.
5. Intrusion and Theft Detection: in some ways, it’s a losing battle to fight the bad guys. Just make sure you know the instant they’re at your front door.

With the cloud, network architecture goes beyond adding firewalls and routers in all the right places. It mean choosing a cloud vendor with security guarantees, distributing your services beyond a single hosting provider, and building a private in-house cloud to house your most critical business components, i.e. black box algorithms, customer data, and other valuable IP.

In terms of your data architecture, don’t assume all threats are external. Often, the biggest danger comes from within. Both accidental data exposure and ill-intent can put you and your data at risk. Ensuring that your data is encrypted (or scrubbed of personal identifiers) within the confines of your own firewalls, and not allowing applications to use internal data without going through proper gateways, will help thwart internal attacks and risks, accidental or not.

Conclusion

Many products and services are available to help protect your software assets as well as your customer data from theft and piracy. For example, authentication software offers you peace of mind that access to your cloud or web-based services is secure, while providing your customers with the convenience of single sign-on across your products and services. Other products offer security at other stages of online software usage, such as when users initially sign up for access to your software, or make self-service support requests. These are often areas that are overlooked in terms of their security needs, and strong identity management software is a must here. Just look at Wired Magazine’s Mat Honan's experience in 2012 as an example of the related risks.

To summarize, your strategy to thwart modern software, services, and data theft should include a combination of the following:

• Obfuscation through a scaled-out distributed cloud strategy
• A hybrid cloud design for critical IP and customer data
• Data encryption at the source, inside an internal walled garden (trust no one)
• Directional authentication: single sign-on from a known secure source
• Proactive breach detection
• Bolstering security in support and related user services