Six myths of on-premise security: an NSA primer
- Edward Snowden also revealed the parlous state of the NSA's IT security regime. There are lessons to be learned by every large enterprise.
Would we now be reading Edward Snowden's PRISM relevations had the NSA been storing its secret documents in the cloud? I suspect it's unlikely. Moving to the cloud means scrutinizing your security and risk exposures with far more care than most enterprises ever devote to their own on-premise arrangements.
It's truly ironic how eager people are — even tech industry luminaries like VMware CEO Pat Gelsinger — to point at the Snowden revelations in support of their contention that your data is safer on-premise.
Whereas the existence of the revelations themselves is such a categoric condemnation of the NSA's own on-premise security precautions, it should be a warning to us all that our own security may not be such a paragon of excellence.
At least the NSA found out — although not in a good way — when the perpetrator publicized his own actions with front page stories in The Guardian, The Washington Post, and other titles. Most data thefts go unnoticed and undetected.
OK, so maybe it is easier for the government to get at your data if it's kept in (or sent via) the cloud. But governments make the law, they can legislate to get at your data wherever you keep it.
You should be worrying more about keeping it safe from everyone else's prying eyes — in particular your competitors, vengeful ex-employees and others who wish you ill.
So be thankful for the NSA's failure to keep its data safe from unauthorized removal by Edward Snowden. With further background uncovered by the investigative team at NBC News, we can now highlight the six most common myths of on-premise data security.
1. I can trust my own people
Er, no you can't. Especially not when most of them are contractors hired in from third-party IT service providers — Snowden was employed first by Dell, then later got a job with Booz Allen Hamilton, in a move that it seems he deliberately orchestrated in order to obtain better access.
How do you know these third-party contractors are even fully trained on your security policies, let alone following them? Sure, they're upstanding people and you can trust pretty much all of them. It's the handful you can't trust that you have to worry about.
2. I have locked down my desktops
To prevent data 'walking out of the building' on thumb drives, most enterprises lock down the USB ports and other data transfer outlets on their desktops. The NSA went further, having its workers use a 'thin client' infrastructure which meant the desktop software was running on well protected servers at its base in Fort Meade, with only the user screens downloaded to the local client. As NBC News explains, this created a protective 'air gap' around the sensitive data:
The system is intentionally closed off from the outside world, and most users are not allowed to remove information from the server and copy it onto any kind of storage device. This physical isolation — which creates a so-called 'air gap' between the NSA intranet and the public internet — is supposed to ensure that classified information is not taken off premises.
The trouble with this type of blanket lock-down is that there are always exceptions when data has to be downloaded locally. One example cited by NBC News would be moving information "to correct a corrupted user profile." So a workaround has to be created for those cases, which certain administrators are authorized to use. At the NSA, Snowden was one such authorized administrator.
Of course, mobile and remote access would open up a whole other can of worms, but since the NSA didn't go there, we can leave that worry for another day.
3. We log everything
The one sure way to enforce rules is if you make sure that people will get caught when breaking them. So monitoring and logging what users are doing on the system is an essential component of any security paradigm.
Trouble is, are you sure you're logging the right people? For example, be sure that people aren't sharing login credentials. Also watch out for those exceptions in case of technical issues that allow administrators to log in as others or even take on 'ghost' identities that aren't logged so they don't skew the usage stats.
A determined miscreant will quickly identify these loopholes and take advantage of them — which is exactly what Snowden did at the NSA.
4. We are fully compliant
I know you have total confidence in the robustness of your procedures. But are you one hundred percent sure they can't be circumvented by exceptions like the examples above? As Techdirt concluded of the NSA's experiences:
... if Snowden could do it, it's very, very likely that he's not the only one employed by the NSA or contracting for the NSA who knows how to cover their digital trail. And that leads to a very obvious question: sure, the NSA knows about thousands of unintentional violations and a bunch of intentional violations — but what about all the violations it has no idea about because someone was able to bypass or delete the log files?
5. I can see what my people are doing
Perhaps the greatest fallacy of on-premise security is a phenomenon I like to call 'line-of-sight governance.' It's the false sense of security we experience when we feel that whatever happens, at least we can always just walk down the corridor and make a hands-on assessment of the situation on the ground.
This sense of direct, actionable accountability covers a multitude of sins, especially in organizations like the NSA where much of the IT infrastructure is years out-of-date (hands up, every large enterprise).
And of course it doesn't work in a globally distributed enterprise where some employees are hidden far out of sight. As NBC News recounts:
Snowden’s physical location worked to his advantage. In a contractor’s office 5,000 miles and six time zones from headquarters, he was free from prying eyes. Much of his workday occurred after the masses at Ft. Meade had already gone home for dinner. Had he been in Maryland, someone who couldn’t audit his activities electronically still might have noticed his use of thumb drives.
6. It's our own infrastructure
The very thing that makes you feel most secure is the one thing that is your fatal flaw. If it was someone else'e infrastructure, you'd be crawling all over it to check out every weakness. You'd demand exception-proof procedures, blanket monitoring, fully auditable logs and real-time reporting. Even then, you'd be spot-checking all the time to make sure they weren't slacking on the job.
Which is why the safest place to keep your data is with a reputable cloud provider — because none of their thousands of customers trust them, and every one of them is obsessively carrying out the same checks. They never get a chance to put a foot out of line.
As for your on-premise infrastructure, who's checking on that? Oh yeah, that administrator from your third-party service provider. What was his name again?
Image credit: © forkART - Fotolia.com