What Lessons Can the Ag Industry Learn from the Facebook Data Breach? How to Tell if Your Ag Data is Secure
Today, a seemingly endless amount of ag data flows from growers’ fields into a host of technology platforms. It is top of mind given the Facebook data breach involving Cambridge Analytica that compromised millions of users’ personal information. With all of the data being transmitted in the ag space, it is possible a similar incident could occur in our industry. So how can we be certain our data is secure?
In my talks with growers, I have observed them over-relying on technology providers and implicitly trusting them to secure their data without question. All too often, it is simply a handshake instead of a formalized security program and a detailed understanding of its documented protocols.
But the tides are changing. At the recent Farms.com Precision Agriculture Conference, I spoke with growers about the questions they should be asking technology companies regarding their approaches to data security. I also advised on the answers to look for.
I am so passionate about this topic because we treat security very seriously at Uptake. As an ISO 27001-certified organization, it is paramount in everything we do. Here are the top five considerations you need to know when it comes to the security of your ag data:
1) How is my ag data accessed, and how are user identities authenticated?
Strong data access control should be based on the security requirements of leading industry organizations such as the National Institute of Standards and Technology (NIST). For example, the NIST principle of “least privilege” requires that users receive only the level of access necessary to perform their job functions. Ag data access control should include, but not be limited to, passwords, cryptographic keys, and multi-factor authentication devices. In the physical realm, it should include, but not be limited to, key cards, PINs, biometrics, and 24/7 closed circuit television monitoring.
2) How are my connected ag machines and sensors secured?
Edge devices connect your ag machines in the field to technology providers’ platforms. The most secure edge devices are built upon robust reference frameworks that were developed by both security and Internet of Things experts and have been validated by third-party security assessments. Only authorized users should have access to edge devices and their data. Measures need to be taken to protect against unauthorized device access and the interception of communications between those devices and technology platforms.
3) How is my most sensitive ag data organized and managed? Is it encrypted in the platform? Is my live ag data used in development environments?
To determine the right level of protection, your ag data assets should first be classified before any ingestion takes place. All of your ag data must be classified to provide clear visibility of any potential threats and to maintain highly restricted access to sensitive information. It is imperative that your live ag data is isolated from development and testing environments. Once ingestion of your ag data begins, it should be encrypted both in transit and at rest.
4) How is my ag data protected from falling into the wrong hands? How is it kept from being hacked and how often are vulnerabilities checked for?
Technology providers’ networks should use tiered classification frameworks to ensure the separation of your ag data. Ask if they offer client-protected data enclaves, whether physical or virtual private cloud. Confirm they have a fully hardened security stack that includes endpoint and network threat prevention, application firewalls, and vulnerability scanning. The most effective security stacks offer proactive, continuous attack simulations performed on them by in-house teams to anticipate and mitigate unauthorized access, privilege escalation, and ag data theft.
5) When developers use my ag data to build products, how do they prevent it from being exposed in their code?
In order to safeguard your ag data, security needs to be embedded within the software development lifecycle (SDLC). Doing so allows for code-level security insights while ensuring continuous delivery of software. Within the flow of the SDLC, both static and dynamic code analysis should occur – including process gates to prevent the introduction of any security vulnerabilities into production environments. Developers and anyone else who is able to influence application security should be given comprehensive training tailored to fast-paced development in an Agile framework.
In summation, an industrial-strength security program does not stop there – nor does it sleep. It is continuous, comprehensive, proactive, and relentless. If you are still hungry for knowledge, ask technology providers the following questions:
- Do you teach your developers how to think and act like hackers for the purposes of testing your platform’s security and identifying any issues before bad actors can?
- How frequently do you perform code scans of your platform?
- How frequently do you perform independent security assessments of your platform?
- Do you have a Bug Bounty Program that engages with the security community to reward the identification of potential vulnerabilities?
If a technology provider cannot provide you with satisfactory answers to all of these questions – or if they attempt to pass the buck to another entity in the connected ag value chain – it is a major red flag. I leave you with a helpful snapshot of what a differentiated and secure SDLC process looks like: