Tuesday, September 10, 2013

Keeping the Bad Guys Out

This blog post has been written for the WIRED Innovation Insights blog where it was published on September 9, 2013. You can find the original post here.

Just as we thought the WikiLeaks problem had faded away, we got a little reminder recently through the Bradley Manning sentencing. As much as this issue is very polarizing and the public’s perception of Manning ranges from high treason to martyrdom, the fact remains that our information is not secure today.
What? The multi-billion dollar industry that produces all the security products has failed us? All those sophisticated encryption algorithms don’t protect our data? What about the firewalls, multi-factor authentication, VPN, and SSL that we have been deploying?
Sure, all those technologies are very powerful and they indeed do address some of the major information issues. Authentication ensures that the person accessing the information really is who he or she claims to be. Firewalls keep out everyone without authorization. Encryption tools such as VPN, SSL, or PGP prevent snooping on the data as it travels from system to system. All of this is great, but it has a major flaw!
The problem with most of our information security to date is that it has been designed to keep the bad actors out. When you keep the bad guys out, your information is safe. Right? Well, not exactly. As the WikiLeaks, and more recently, the Edward Snowden examples show, the critical information leaks can happen by the hand of the authorized personnel. The leaks occur by the people who have legitimate access to the information and who are not considered a security threat to the information that all these security measures are designed to protect.
This issue must be quite unsettling to any strategic CIO. They may not be telling their boss, but their data is only as secure as their employees can be trusted. On top of that, it’s not just the malicious information leaks that are a concern. Most information leaks happen through negligence, without any malicious intent. Have you ever sent an email accidentally to the wrong person? If you have (and let’s be honest, who hasn’t?), you were just lucky that the attachment didn’t contain any state secrets.
Such “authorized information leaks” become even more of an issue in the era of mobile devices and cloud based file sharing and synchronization. There is a plethora of services, such as Dropbox, Microsoft SkyDrive, and Google Drive, that make it very easy for people to share information across their accounts and devices -- corporate and privately owned. When the employees leave, they take those accounts with them -- together with all the confidential information. There may not be any malicious intend behind this but it is a worrisome information leak nevertheless.
So what can we do? Sure, we can intensify the background checks on our new hires, train employees, and test their loyalty through psychological tests but these methods are hardly practical outside the high security agencies. We can also employ some of the new breed of security solutions such as SIEM (security information and events management), which monitors the data traffic patterns and looks for anomalies to detect security breaches (albeit usually after the fact).
But we should also never underestimate the need to establish solid information governance across the organization -- a way to properly organize the information, to determine where the information should be stored and who has access to it. Information leaks are a much more frequent occurrence in a messy environment where nobody really knows what information they actually possess and where it lives.
Lastly, we should expect information security vendors to start focusing their innovation on areas beyond traditional perimeter security. Complete information security may not be a solved problem today, but let’s hope it won’t stay like that forever.