Big Important to Fail? While the Department of Homeland Security should be congratulated for establishing the first
The recent hacking of 14.000 records from the Department of Energy, along with the actions of rogue IT Admin Edward Snowden is further evidence that an “information centric” approach to security must be applied in order to mitigate the risk of data breaches. Additional investments of money, resources, and time in standard perimeter security tools will not guarantee that Agencies remain safe from the relentless exploits from outsiders nor combat the activities of malicious insiders. The Federal CIO Council agrees that protecting the “system” no longer suffices because the “data” is what needs to be secured.
“Encryption paradigms must shift from system centric to data element centric considerations.” Federal CIO Council, ISMIC Guidelines For the Secure Use of Cloud Computing, Dec. 2012
The sheer budget and scope ($95 Million; 240,000 employees) of this DHS cloud security initiative may be cause for scrutiny:
“My sincere hope is that the initiative’s security and privacy considerations have been properly assessed and stress-tested…My fear is that, given the size, scope, complexity and sensitivity of this program, as well as the dimension and potency of the threat, coupled with the need to achieve certain goals within a tight budget, that a determined foe will identify [any] Achilles heel] that’s in the system.”
– Homeland Security Today
While the benefits and cost-savings of adopting the Cloud are many, and the DHS should be applauded for taking the matter of cloud security into its own hands, let’s hope that the prime directive of “data protection” doesn’t get lost amongst other priorities.
A Holistic Approach
Best practices should be followed, which can be summarized by 4 steps as part of an ongoing process to identify, secure, enable and monitor information:
- Discover: Before you can protect sensitive corporate information in the cloud you first need a detailed understanding of:
- Who should have access and who should not;
- What content is sensitive, proprietary, or regulated and how can it be identified;
- Where this data will reside in the cloud and what range regional privacy, disclosure and other laws might apply
- Protect: Find effective and practical tools to protect the right information. Most importantly, the data owner must maintain exclusive access to decryption keys, assuring that no unauthorized parties can ever access, leak or disclose protected data
- Preserve Usability/User Experience: No security solution will be effective if it breaks the application or makes it impractical to use.
- Monitor: On-going monitoring of information going into the cloud requires detailed visibility, application awareness, and understanding of the context of business information. The solution must enable granular reporting and visibility into cloud application usage, with context on user roles, content, and accessibility to specific types of data
Get it Right Now…Or Pay More Later
The Department of Energy will be providing “free credit monitoring for one year and providing ‘best practices for minimizing the potential for identity theft’” to the 14,000 employees whose PII was compromised. Perhaps as a best practice, other Agencies will learn a lesson from the DOE and allocate a little extra money to effectively secure PII up front vs. spending $10/month per employee for assisted credit monitoring on the back end in order to protect their employees from the violation of identity theft and all of the hassles that come with it.