It has been interesting to watch how the information security market has reacted to the leaks of information presented via the press by Edward Snowden, writes Robert Newby. The hardcore security community has tended to condemn his actions as childish and ill thought-out, colleagues at GCHQ either refuse to speak his name or spit (literally or metaphorically) when they do. Others with a more left-of-centre attitude revere him as a hero of the common man.
There are of course elements of truth in all of this, my take is that he acted illegally, but thought he was doing something for a greater cause. Perhaps if he had practised whistle-blowing via the correct routes he would have been silenced, and the government would never have had to act in defence, certainly we would never have had to react personally. Simply put, the more people he could get to see what was happening all at once, the more chance there was that something would be done about it without the truth being manipulated.
Of course IT security suppliers have had a field day with this. As an analyst I speak to suppliers on a weekly if not daily basis. Not a single one has failed to come out with their own take on how they could have stopped the “Edward Snowden problem”. For identity companies of course this makes some sense, proper identification and access control may have prevented access, but Snowden had legitimate access to much of his sources. Some of the more cutting-edge virtual systems also have great case studies, one in particular where the information cannot leave a specific environment without encryption would surely have slowed him down.
Man on a mission
But that is the point. It would have slowed him down, not stopped him. Snowden was clearly a man on a mission. Technology had little to do with what he set out to achieve. Holes in security were exploited out of habit rather than malicious intent, the intent was there without the technology. That is to say, Snowden would have revealed what he did one way or another, the fact that it was made easy by lack of process, identification, access control, encryption and other controls is only half the story.
This does mean it should not be raised to our attention, quite the opposite, but in context, not isolated point solutions. In fact it could be argued that isolated point solutions were much of the issue in the first place. Haven’t we seen this before?
The approach to information security always seems to be, and have been, to follow the most recent or highest profile problem, and to fix it with technology. We are often so busy firefighting that we have no time to implement strategies. Projects have a better chance, where some strategy can be applied at a high level before implementation of the whole, but there are often unforeseen circumstances during execution which change the dynamic and put security on the back foot again.
As more platforms, infrastructure and applications are moved offsite, this becomes more of an issue. Security cannot be fully outsourced, even when the rest of the operation is. The fact remains that a business needs to be able to deal with the internet in this day and age, to manage its involvement and interaction with it, at scale, and to react. And better still, to be proactive in the responses received from logs and alerts out in the wild.
Putting anything out in the cloud can feel like a relinquishing of control, no matter what information it carries, but there are an increasing number of strategies for dealing with this. The major shift in technology for cloud adoption will be the take up of encryption solutions. Encryption of course is nothing new, and relatively simple to deploy. Key and certificate management is not. At an enterprise level it is hard to manage a large number of keys and certificates, on a global scale it is seemingly impossible.
What is required is more co-operation, telcos and internet service providers (ISPs) adopting standards for key management such that clients can manage their own keys and not each other’s, without the ISPs having any access. This will still require management of the connections between ISPs and end clients, security within networks, prevention of internal data leaks, but this is the only way to react to the expansion and explosion of the cloud.
But did Edward Snowden not say that the NSA and GCHQ could monitor encryption without keys? Is SSL not already broken? So is all encryption not vulnerable? What about the software controlling the keys, is there a backdoor in this that’s sending it all back to the state? Just because you’re paranoid, etc…
So, as a community, we should be putting this out on the internet, making it open source. Once again, that does not feel right, does it? If I want to protect my data, why would I ask someone, everyone else to write my encryption algorithms and key management software?
Well, simply put, if everyone can see it, it tends to keep people honest, and is that not what Edward Snowden was trying to do in the first place?
Robert Newby is an analyst and managing partner at KuppingerCole UK