I get to gore a lot of oxen in this blog. Please don't feel left out.
Got me a data breach
One Two Three
Someone's stealing my
Outside job inside job
It's a rotten tomato
I wanna lob
At someone asleep
The System Logs.
In the cloud
Soft or out-loud
Some database gets ploughed
And the turnip they
And is repaid with
Free Credit Reports
For a Year!
I often like President Obama, but I find his recent cybersecurity executive order announced last week in Silicon Valley leaves me cold. Security is a fundamental, but my sense of security is often counter to the profit motives of many, many organizations, and perhaps even and especially the U.S. government. Trust has been vanquished. Renewing it will be difficult.
Organizational habituation of security efforts ought to always be the very best practices, no matter the location of the data assets.
If you're the CIO or CSO, you're in offensive/defensive mode. The legal department is breathing down your neck. IT assets in the cloud feel especially vulnerable, just because they're “physically” in the cloud. Will our security budget be enough? Just how valuable is the data, you might reply.
The marketing department is using the cloud as a mosh-pit for real-time data analysis via watching both sales and advertising conversions, AdWords success, and also snooping on competitive trends. Maybe there are regulatory restrictions. Maybe not. Might be encryption. Might not. Got to love standards when they are so many of them, and so unequally applied.
DevOps is constantly mutating the web CRM engine, trying to keep ahead of inventory and currency fluctuations. Amazon and Rackspace instances are like candy to them, hundreds spin up and down on a daily basis. They deal with the money people—credit/cash sales clearance organizations to offload identity risks and prevent storage of definable client information. Sometimes this doesn't work as well as planned. Who reviewed the plan?
Legal has 72 litigations with eDiscovery docs sitting in lockdown at DropBox, and they're watching SettledClassActionInTheCloudWebApp.com (fictitious, but probable) to see what the payouts are going to be. They're closely aligned with Beatem, Cheatem, and Howe (of CarTalk fame) and are counting the slip-and-falls in the new mall with a web-app hosted on GoDaddy.
And all of these constituents are going to either cede their perceived security positions or join in a Kumbaya moment with the government. This is the same government that's looting smartphone data, most of the email they can decrypt (and some they can't), every international communications imaginable down to the phone of the Chancellor of Germany (my personal apologies), and believe that this will stem the tide of security problems. Their data centers, located in conveniently patriotic places like Utah and Virginia, bulge at the seams with our metadata, and more, if we're to believe Edward Snowden et al.
The government's not the only data vacuum cleaner. During the second week of February 2015, we witnessed Anthem lose 80 million customer records, and then news of perhaps one of the great bank robberies of our time. The Great Train Robbery looks like a convenience store stick-up by comparison.
Surely Someone Should Do Something!
I'll admit, something should be done. Let me list some suggestions for actionable items:
- Get your government nose out of our business, and stop making organizational infrastructure targets without a specific public warrant.
- Don't make us your enemy – if we have to become very secure, it's going to also mean a step ahead of the state of the art, and that means the government's cadre of coders and sniff artists. Stop the cell number-snatching drones, the optical fiber vacuum cleaners, and the janitor closets full of gear at NAP NOCs.
- Get real prosecutors trained with real computers to make real litigation with real budgets to take down the scammers. Make all communications verifiably opt-in. Take a few moments from ISIS and collar some data theft criminals, or squeeze out The Dark Web.
- Should an organization somehow leak customer information, institute a cash fine of $100/customer as a penalty. This will drive insurance companies to become the arbiters of audited security infrastructure. Running without insurance would dissolve any corporate shields, and shareholders would become liable for the insanity of identity theft liability and the years of work it takes to clean up a credit records after identity theft.
- Mandate key control and encryption for data in transit, and data in place, that involves any conceivable capacity to identify customer or organizational data. We have the encryption horsepower. Now we need to encrypt and control the keys.
- Make professional systems security workers licensed at the federal level. Make it very, very tough to obtain the certification, and have it renewed—especially in the face of a breach. We do this for many professionals, and CSOs and security workers handle very valuable data—an analog of who we are. Were a building to fall over, we'd look to the architects and builders for liability. Systems security should be no different.
Security is a matter of trust. We want to trust each other, but the U.S. government has revoked its own trustworthiness in a litany of actions that have been criticized the world over, not to mention on both sides of the aisle in Congress. Large organizations also seem to toy with the personal identity assets of consumers, rather than being strident and tenacious in the quest to do their very best to prevent the robbery of both the trust and the asset value of their customers.
Can we trust Target, TJX, Anthem, and the big banks that have squandered those assets? A few emblematic arrests and convictions have been made here and there. A systematic approach to renewing mutual trust is in order. It's not going to be easy.