Matthew Tyler, CEO of Blackfoot, considers a post-Snowden world where data security is high on the agenda, and looks for a practical solutions.
Since the Snowden revelations of nine months ago there has been a huge amount written on ‘global surveillance’ and the interception of confidential data. In fact there has been so much written and spoken about the subject that even a Co-op chairman would struggle to find time to keep abreast of it! When we listen to the subtext of these writings and conversations we begin to see an interesting question emerging, specifically, how do we protect ourselves in the future? This article explores some of the disclosures and fundamental changes that will be required.
Most enterprise class networking equipment and software systems have been designed with ‘in place’ back doors that allow easy access.
Shock disclosures and two common themes
Amongst the many writings are disclosures about how the largest US tech companies are releasing vast amounts of data to the National Security Agency (NSA) through automated and legal extraction processes. Like busses and bad news, shock disclosures often travel in three’s, so it should come as no surprise that internet communications have been routinely hoovered from the web by security services and that most enterprise class networking equipment and software systems have been designed with ‘in place’ back doors that allow easy access.
So now the shock has passed and a general acceptance has occurred that the NSA can and probably do take whatever and whenever it wants, two common questions are emerging:
1) should we be surprised by this behaviour of security services?
2) where should we placing our data in the future?
Should we be surprised?
Although the NSA and security services appear to have penchant for the extraction and monitoring of data, we probably shouldn’t be surprised that they do. Let’s face it, the job of the security services is to protect us from threats. We also shouldn’t be too surprised by the methods they deploy in the digital age, as they are probably no more intrusive than those used in the analogue age of the 70s and 80s when government approved export licenses where required to sell core telco kit to other countries.
What is important is that governments shed light on and ensure they are transparent rather than being seen as complicit.
Where should we be placing our data in the future?
The question about where data should be held in the future has become commonplace and with as many as 25% of businesses considering moving their data out of the US, or away from companies located in the US, an important question should be asked quickly, namely, is the right question being asked or with the advent of change and the crumbling of borders is the better question How can I keep my data safe? This is explored in the next section.
Securing data in a brave new world
As evidenced by a recent MI5 and GCHQ communications to FTSE 350 Chairmen, the 10 year £30b building spend on creating bulletproof corporate networks with highly secure ingress and egress points has failed. In the post-Snowden world we can be certain their knowledge that ‘large organisation are bleeding data’ is accurate; and we now know how they knew!
Adding ever growing perimeter security to protect vulnerable and poorly designed applications is of little value to businesses who want to leverage the power of web enabled systems.
In the new digital world workers have been un-tethered from their desks and now wish to interact with clients, colleagues and supply chains in entirely new ways. Much of this has been enabled by mobile and the new world of Cloud computing, however – in this brave new world – adding ever growing perimeter security to protect vulnerable and poorly designed applications is of little value to businesses who want to leverage the power of web enabled systems to support their business objectives, improve customer experience and streamline operational costs
The future holds an interesting dichotomy, on one hand businesses want to web enable their applications and extend system access beyond the traditional boundaries but on the other hand, traditional models of securing networks, gateways and end points constrain businesses. Future investments in the traditional approach could be considered the equivalent of throwing out the baby when the ‘information’ bath is emptied into the cloud.
Secure the applications to protect the data
So if the question is to be how can I protect my data, where should the smart money be spent in the future? Perhaps Snowden provided a hint about the answer by stating that strong application security and well-managed cryptographic technique will cause the security services the most headaches. Without doubt these headaches will be equally unpleasant to the bad guys out there who’s intent is not to protect but to gain financially.
To meet the needs of the future, organisations must refocus their security efforts on securing applications and information rather than building bigger walls around the perimeter. This idea is gaining wide-scale acceptance and as we look to the future it is highly probable the only IT investments likely to be considered as transferable assets are the investments in the applications businesses use to make sense of the data and information they hold.
IT professionals are very familiar with the notion that security is a little like an onion and that security is best achieved by applying layers rather than relying on silver bullet solutions. If the information is at the core, then we need to start by knowing where it is. Information is now everywhere within most corporate networks and is certainly held in more places than most IT departments are aware of. It naturally follows that you can’t secure what you don’t know about. So therefore moving applications to the cloud should be seen as a way of cleaning up corporate networks which can be riddled with information storage either inside on spreadsheets or outside on Dropbox / Google Drive type services.
With application security and strong encryption as essential layers of any secure information onion (aka Snowden), the brave new digital world of clouds connected to the Wild West Web can offer an excellent way of keeping your information from prying eyes and getting your information and security in place before new legislation, various security services or the real bad guys get their hands on it.