By Daniel Steeves, Director at Beyond Solutions
So, they can see it all… and they really are watching! For the past six years, PRISM (under public ownership) and that other form of Big Brother, the Internet in general, (under, mostly, private ownership) for much more than six years. While very different in nature, perception and our view of having given permission (or otherwise) these two avenues to our information are also very much the same. As is the answer to how you can take control of both and render PRISM itself effectively irrelevant with regards to your data (more on that a bit later).
A recent article on ReadWrite.com, amongst others asking questions like ‘In Cloud We Don’t Trust?’ might be a little off-kilter from the start: isn’t trust meant to be based on things like implementation and delivery, not on concepts? In any case, modern trends have led to behaviour changes that on one hand relax our views on personal privacy while accenting them with heightened awareness and increased concerns regarding personal security and identity… clearly a contradictory position but that is where we are.
Trust is based on the implementation and delivery, not on the concept.
And I think we know, mostly, how we got here: Data, Big Data, lots of data: accumulated, shared, analysed and desired… not to mention viewed, comprised and stolen.
From the looks of what we see on real-time attack monitors like HoneyPot or Akamai – and what we read in the June update from the Information Commissioner’s Office reporting a tenfold increase in corporate data breaches over the past five years – we are pretty aware of what mistakes and attacks are possible on both sides of the security fences. Probably by now we shouldn’t be surprised that Governments, businesses and individuals would attempt to find opportunities to their advantage – maybe not in terms of right and wrong, moral or immoral, legal or illegal but simply in terms of the odds of it happening.
We are the King-Makers!
After all “We, the People” have generated vast amounts of wealth for other people by giving them our personal information and the permission to use it pretty much as they please. Many may not have realised, from the start, exactly what was happening but as our search results improved, social and business networking sites connected us to friends and family, businesses flourished and content worth consuming popped up everywhere, about everything – all provided essentially for free – for the most part we decided we were okay with it all… even if we didn’t read the fine print before accepting the Terms & Conditions!
I’m neither qualified nor, to be honest, interested in debating legalities, civil rights, moral views or due process and there are more than a few spots covering those angles… so let’s skip to the mechanics. For sake of argument, let’s consider it a given that “they” are legitimately seeking access to information to support investigations in our ‘best interests’. And give the benefit of the doubt to the Courts as gatekeepers who accept only the most compelling arguments. And that legitimate, local due process will be followed. And that the information requested will be used solely for the original purpose (that ‘greater good’ thing). And that things like Safe Harbour and other treaties meant to enforce the protection of our data, personal and otherwise actually do enforce the protection of our data.
We are the Protectors?
Okay, a few leaps of faith needed so far, particularly when we add to the mix that the rules and policies of such treaties worldwide were actually defined in a different era of technology years before the capabilities (and resulting application or interpretation of US laws to suit the use) of PRISM could even be considered. It was even longer before our latest favourite whistle-blower made us aware of its existence let alone its extent and capabilities: in simple terms, if “they” want it then, apparently, “they” can get it.
I could be wrong but I think that many of us inherently accept that some of that data, somewhere, connect and analysed the right way by the right people might prove to hold the key to something vital. I know that I enjoy hearing about intelligence-led victories (especially when achieved intelligently!) The “doing it behind our backs” thing might not have been well advised, though, in a world where fundamental control by the owners or keepers of data – who have the responsibility, legal and ethical, to control and protect the data they hold for or about others – is how it is meant to be, or so we’d been led to believe.
You Hold the Keys
The only reason to consider having to accept any of those leaps of faith is because PRISM as a data-Hoover actually poses little cause for alarm if the data can’t be read. So why not spy-proof your data to limit or eliminate the ability of anyone, Government or otherwise, to access your data without your knowledge; for it to be snooped or otherwise collected whilst it travels via the internet and through some clouds; or when in the hands of Internet, Cloud or Hosting providers – or your supply chain or anywhere else it might get to, planned or otherwise.
PRISM actually poses little cause for alarm… just spy-proof your data
Encryption as spy-proofer is not so complicated: in simple terms, data is kept confidential by means of a cipher, for example, which like a lock has a key: lock to encrypt, unlock to decrypt. And it is perfectly legal. In fact it is generally recommended but far less generally implemented even though it can be done with little to no performance impact and, from the risk mitigated by protecting your business from fines like those reported by Gradian Systems factored into the model, it might prove cost-effective as well!
While any reputable business will want to comply with the laws of any states in which they do business, encryption provides you with legal control: companies may be compelled to decrypt their data under subpoena or other methods but they will always know when and which data has been targeted. The fact is that of those businesses who do use encryption to secure data across networks to offices and partners or via publicly accessible services, few of them encrypt data as it travels through their internal networks, between storage and servers. Which might mean that they are not getting what they think they have.
The trick, then is to not only clarify your requirements, as always but to have clarity as to the implication of the options available and, ideally, collaboration with the subject matter and domain expertise of a trusted advisor. Otherwise you might end up with encrypted data but not have control of the keys.
One such trusted collaborator is Jon Penney, CEO of Intellect Security (disclosure time: he is a client) who provides enterprises with source-to-archive encryption solutions and via Cryptosoft delivers scalable policy-driven encryption, as an appliance or as-a-Service, protecting data across workflows and business processes including partners, supply chain and customers.
SSL protects [data] on the way to the cloud but not in the cloud.
As Jon put it “SSL provides fairly robust protection for your data as it moves along the pipes but the data is only protected in motion: on the way to the cloud, not in the cloud, for example. What you need in this scenario is for the data to remain encrypted-as-used in real time by applications, in active local and remote storage, for backups or when archived and everywhere in between. If clear at any time, either on your own systems or when out of your direct control, the data is subject to access without credentials.”
The key is of course the keys: intelligent design abstracting business logic from physical infrastructure and cross-platform secured distribution – to ensure that security is designed as a part of, rather than a restriction to, the processes of the business process. Not to mention keeping them in the hands of the business – and not their service provider.
Of course, if “Big Brother” really wants it he’ll probably find a way… the key may be the key but that ownership and control mitigates risk only until the Law says otherwise.
Daniel is a Director at Beyond Solutions where he advises Cloud and other Technology providers and a Thought Leader for Compare the Cloud. You can reach him at firstname.lastname@example.org or follow him on Twitter @DanielSteeves. Daniel has recently started publishing the Beyond Cloud series of video ‘discovery discussions’ with IntelligentHQ.com