I’ve said it before and I’ll say it again. People who protest their reluctance to put enterprise data into the cloud demonstrate a misplaced confidence in the security of their own infrastructure.
Would we now be reading Edward Snowden’s PRISM relevations had the NSA been storing its secret documents in the cloud? I suspect it’s unlikely. Moving to the cloud means scrutinizing your security and risk exposures with far more care than most enterprises ever devote to their own on-premise arrangements.
Whereas the existence of the revelations themselves is such a categoric condemnation of the NSA’s own on-premise security precautions, it should be a warning to us all that our own security may not be such a paragon of excellence.
At least the NSA found out — although not in a good way — when the perpetrator publicized his own actions with front page stories in The Guardian, The Washington Post, and other titles. Most data thefts go unnoticed and undetected.
OK, so maybe it is easier for the government to get at your data if it’s kept in (or sent via) the cloud. But governments make the law, they can legislate to get at your data wherever you keep it.
You should be worrying more about keeping it safe from everyone else’s prying eyes — in particular your competitors, vengeful ex-employees and others who wish you ill.
Er, no you can’t. Especially not when most of them are contractors hired in from third-party IT service providers — Snowden was employed first by Dell, then later got a job with Booz Allen Hamilton, in a move that it seems he deliberately orchestrated in order to obtain better access.
How do you know these third-party contractors are even fully trained on your security policies, let alone following them? Sure, they’re upstanding people and you can trust pretty much all of them. It’s the handful you can’t trust that you have to worry about.
2. I have locked down my desktops
To prevent data ‘walking out of the building’ on thumb drives, most enterprises lock down the USB ports and other data transfer outlets on their desktops. The NSA went further, having its workers use a ‘thin client’ infrastructure which meant the desktop software was running on well protected servers at its base in Fort Meade, with only the user screens downloaded to the local client. As NBC News explains, this created a protective ‘air gap’ around the sensitive data:
The system is intentionally closed off from the outside world, and most users are not allowed to remove information from the server and copy it onto any kind of storage device. This physical isolation — which creates a so-called ‘air gap’ between the NSA intranet and the public internet — is supposed to ensure that classified information is not taken off premises.
The trouble with this type of blanket lock-down is that there are always exceptions when data has to be downloaded locally. One example cited by NBC News would be moving information “to correct a corrupted user profile.” So a workaround has to be created for those cases, which certain administrators are authorized to use. At the NSA, Snowden was one such authorized administrator.
Of course, mobile and remote access would open up a whole other can of worms, but since the NSA didn’t go there, we can leave that worry for another day.
3. We log everything
The one sure way to enforce rules is if you make sure that people will get caught when breaking them. So monitoring and logging what users are doing on the system is an essential component of any security paradigm.
Trouble is, are you sure you’re logging the right people? For example, be sure that people aren’t sharing login credentials. Also watch out for those exceptions in case of technical issues that allow administrators to log in as others or even take on ‘ghost’ identities that aren’t logged so they don’t skew the usage stats.
A determined miscreant will quickly identify these loopholes and take advantage of them — which is exactly what Snowden did at the NSA.
… if Snowden could do it, it’s very, very likely that he’s not the only one employed by the NSA or contracting for the NSA who knows how to cover their digital trail. And that leads to a very obvious question: sure, the NSA knows about thousands of unintentional violations and a bunch of intentional violations — but what about all the violations it has no idea about because someone was able to bypass or delete the log files?
5. I can see what my people are doing
Perhaps the greatest fallacy of on-premise security is a phenomenon I like to call ‘line-of-sight governance.’ It’s the false sense of security we experience when we feel that whatever happens, at least we can always just walk down the corridor and make a hands-on assessment of the situation on the ground.
This sense of direct, actionable accountability covers a multitude of sins, especially in organizations like the NSA where much of the IT infrastructure is years out-of-date (hands up, every large enterprise).
And of course it doesn’t work in a globally distributed enterprise where some employees are hidden far out of sight. As NBC News recounts:
Snowden’s physical location worked to his advantage. In a contractor’s office 5,000 miles and six time zones from headquarters, he was free from prying eyes. Much of his workday occurred after the masses at Ft. Meade had already gone home for dinner. Had he been in Maryland, someone who couldn’t audit his activities electronically still might have noticed his use of thumb drives.
6. It’s our own infrastructure
The very thing that makes you feel most secure is the one thing that is your fatal flaw. If it was someone else’e infrastructure, you’d be crawling all over it to check out every weakness. You’d demand exception-proof procedures, blanket monitoring, fully auditable logs and real-time reporting. Even then, you’d be spot-checking all the time to make sure they weren’t slacking on the job.
Which is why the safest place to keep your data is with a reputable cloud provider — because none of their thousands of customers trust them, and every one of them is obsessively carrying out the same checks. They never get a chance to put a foot out of line.
As for your on-premise infrastructure, who’s checking on that? Oh yeah, that administrator from your third-party service provider. What was his name again?
Phil Wainewright has been a thought leader in cloud computing as a blogger, analyst and consultant since 1998. As well as documenting the transformation of 21st century enterprises by digital technology, he has a part-time voluntary role as vice-president of industry advocacy group EuroCloud.
Great article Phil! And one that been we've been telling nervous cloud prospects for a decade (see http://www.reallysimplesystems.com/cloud-crm-data-security). The fact is, it is totally impossible to prevent in-house data theft by a IT employee, and almost impossible to detect that theft.
And don't let's get started about laptops left in taxis..... !
The remedy for the loss of proprietary information and data lies not in better Cyber Security hygiene, perimeter defense, or defense in depth measures. Instead the remedy can be found in a far more muscular and critical inquiry by consumers themselves into the actual risk of loss of proprietary information and data they cannot afford to lose and cannot protect. That risk is inherent in the joint use of cloud computing with the Internet and a supply chain of third party participants and outsource vendors.
In the Internet as public commons, there is no overarching responsibility for making the Internet safe; instead safety depends on cooperation and responsible choices. Considering the widespread Cyber Security risk associated with Internet use, why is the default option with respect to Internet use one of use not nonuse? Indiscriminately applied, the presumed use option only serves to enable Cyber crime whose bad actors threaten competitiveness and national security. Instead the default option on Internet use should be nonuse.
Just as a programmer needs to explicitly check boundary conditions in specifying inputs to a procedure, acquisition managers and enterprise executives need to establish pre-conditions for using cloud computing or the Internet and not simply exercise the default option of use.
@phil - this will make you giggle. A couple of years ago I was at a large vendor premises and decided to use Skype as a way of 'privately' creating a discussion group for the topic in play. It meant those in the room and elsewhere could back and forth on what was happening and so help us refine questioning. I fired up Skype but couldn't connect.
Within 3 minutes 2 burly security guys burst through the door and asked in loud voices: "Who's trying to use Skype?" I along with a few others sheepishly put up our hands. "That's a 'foreigner' system in this place!" We were told in no uncertain terms.
Here's the kicker: I asked: "Could you make an exception? We're using it to help us distil this content among ourselves and so give better feedback?" The conference facilitator then made what you'd call a fatal mistake: "Sure, make an exception - we know these guys - we trust them."
Bingo - we were back doing our thing and could have been yapping to anyone...