What the Snowden Leaks Can Teach Us About Data Security

Thursday, November 14, 2013

Cam Roberson


One of the major issues discussed in the wake of the National Security Agency leaks involving Edward Snowden was how the government can prevent a similar leak from happening in the future. The answer featured most prominently in media reports centered on the number of security clearances the NSA issues. Keep a tighter rein on who gets a security "pass," the reasoning went, and the chances of a similar leak happening in the future will decrease.

That approach isn't wholly devoid of merit – it's probably true that fewer people with access to data means fewer opportunities for insiders to steal that data – but it reflects an understanding of how data security systems work that may be closer to Mission: Impossible than to reality. At most large enterprises and government agencies, data security is built around not a binary access-or-no-access program, but rather a nuanced web of access controls. (Several security experts, in fact, have said they believe Snowden didn’t actually have legal access to much of the data he took.)

Image Credit: http://commons.wikimedia.org/wiki/File:Edward_Snowden_%22Xilograf%C3%ADa%22.jpg

Image Credit

And there are several measures beyond data authorization controls that can strengthen data security, making it more difficult for bad actors to break into the system, and tougher for them to make off with sensitive information once they're inside.

Here are three measures, then, that organizations can take to protect against breaches like the one allegedly perpetrated by Snowden:

1. Data Access Controls

Some companies employ what I'll call broad-gauge data access controls – allowing a select group of workers to see "classified" information, and giving everyone else a much lower level of access.

This may be an elegant solution, but it doesn't reflect the actual dynamics of information sharing. Think, for example, about how you communicate in your personal interactions. There probably isn't a certain group of friends you would trust with everything, and another group you would trust with next to nothing.

Rather, you probably take each secret, and each person, one by one. In deciding whether to divulge a particular thing to a particular person, you will likely ask yourself broad questions such as whether you can trust that person, in addition to more specific ones like whether you can trust the person with this particular piece of information. You might reveal one deeply held secret to Friend A and a different secret to Friend B, but that doesn't necessarily mean that you'd share both secrets with each friend.

Information sharing within an organization might not be quite as fine-tuned as all that, but there is nevertheless the need for data controls that allow managers to tightly regulate who sees what. You may not want the head of your marketing department to have access to everything the head of your sales department sees, for instance, if you know that there's an ongoing turf war between the two deputies, and that one is likely to use the information to the detriment of the other.

Accordingly, organizations should consider adopting nuanced controls to regulate who sees what. Available security software allows for a remarkable amount of fine-tuning when it comes to regulating access, and enterprises and government agencies alike would do well to take advantage of this fact.

2. Multi-factor Authentication

Regulating access to data will prevent the vast majority of employees from seeing things that managers don't want them to, but what about the occasional employee who decides to try and breach internal security controls? This is where multi-factor authentication comes into play – that is, requiring users to enter more than just a password to access the system. For example, employers could require their employees to complete a facial scan or swipe a key fob or answer personal questions in order to login.

It might not be terribly difficult for an IT worker like Snowden to gain a password – some have speculated that he may have gotten one from a high-level employee in helping solve a technical issue – but it would be much more difficult for him to gather detailed personal information used for authentication, or to fool a key fob or facial scanner. Enabling multiple steps to determine valid authentication based on what they know (passwords, questions), who they are (fingerprints and facial recognition), and what they have (key fobs, cards, etc) provides significantly more obstacles.

3. Data Elimination

Data access controls can allow organizations to regulate who sees what, and multi-factor authentication can prevent employees who want to gain unauthorized access to classified information from doing so. But data security programs shouldn't stop there – they can also prevent a bad actor from stealing data once he's already in the system.  That’s where data elimination comes in.

Admittedly, it's difficult to stop a would-be data thief once he's already within the walls. But features that allow for the elimination of data can be effective in certain cases – for instance, when the organization learns that a device has been compromised, or when an employee is violating company policies in transferring data.

Data security software currently on the market allows administrators to wipe data from a device remotely if they know that a device has been compromised. And administrators can also set devices to automatically wipe any data stored on them when security software detects a user violating expected norms or certain terms of use. For instance, a company could automatically set a device to block a transfer of data to a thumb drive (it's been reported that Edward Snowden used a thumb drive to take government data, in contravention of NSA policy). It may not be practical to constantly monitor the activities of every employee (or even desirable given productivity and employee satisfaction goals), especially given our migration to a more mobile, bring-your-own-device work environment. But we can enable devices to monitor themselves, through automatic controls.

It's possible that even the measures I've detailed here wouldn't have prevented the Snowden breach. It's even possible that the NSA already has security measures similar to the ones I've described in place, and that Snowden was simply adept at getting around them.

Snowden's breach is, however, a good reminder to organizations everywhere that there are a number of proactive measures that they can take to secure their data. The sophistication, affordability and simplicity of many of the data-security software products on the market make it possible for even small companies to implement strong, effective solutions. While these solutions may not be enough to stop Mission: Impossible’s Ethan Hunt, they may indeed suffice to frustrate the next Edward Snowden.

Possibly Related Articles:
Cloud Security General General Enterprise Security Policy Security Awareness Breaches
Federal Military Municipal State/County Information Security
Edward Snowden Multi-factor Authentication
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked