Data Security is Changing
The revelations about the NSA, the scope of their data snooping and the vast amounts of information they watch are truly incredible. If you add to this the technology that’s been developed to do this task, you really have to stop and think.
For example, do you really believe the current agencies doing this snooping are the only ones capable of it? If "yes," do you believe it will stay that way? I can’t see how it can. We can say the technology is protected or whatever other statements we can dream up to ignore the issue, but the fact is, the tech is out there. This means other people have access to the same things…
If you look at some of the tech discussions going on about data security, you’ll even seem some that indicate that there is now an ability to stage a "man in the middle" attack on SSL-encrypted information. This means it’s possible to grab data in transit, decrypt and presumably analyze it, then send it on its way in real time. Without any part (including the ISP) knowing or participating in the operation.
I think this is going to be the start of fundamentally changing how we must go about data management. Data security, data storage, data protection all rely on knowing you can keep a "chain of custody" for the data. That if you manage this chain, keep track of the parts and lock things down each step of the way, you can control access to the information.
Now, clearly, you must be encrypting data at rest, controlling access to the information physically and logically, and protect it in transit in terms of application access and do all you can there. The simple truth is, though, that that’s not enough to know it’s truly protected.
We need to be thinking about the entire lifecycle of information. We can’t regulate out of this one – the bad guys don’t really care about regulations. We need to figure out how we’re going to protect information and we need to take a step back and think about it from entirely new directions. That I know of, (though security isn’t my main expertise), there aren’t solutions that protect us well enough – and certainly not looking forward.
I got started thinking about this – we had a customer that wanted to pay by credit card. But they didn’t want to pay online, and their solution was to put each segment of their CC number and the accompanying codes in 6 different emails, assuming that if someone was watching, they would only see the separate pieces, not the whole of the credit card information. Yikes. I get the concept, but the implementation is problematic.
Looking forward – how will you be addressing true data protection? What do you do when the encrypted transaction is susceptible to sniffing (or whatever else is coming to awareness)?
Please comment below or drop me a note (swynk@sswug.org) – I’d really like to know what everyone is thinking and planning.