XKeyscore map

Truth as Strange as Fiction – CipherCloud on the X-Keyscore Front Line

To be honest, my first reaction when reading today’s explosive revelations about the NSA’s X-Keyscore system was déjà vu – I’ve seen this many times before, in the Bourne Identity and dozens of other movies and TV shows. In a big, darkened room, rows of bright young computer analysts work feverishly to track the bad guys. Need the feed from a security camera in London?  Click, got it. Want to track phone calls? Hotel records? Email threads? Click, click… piece of cake.

Surveillance room

Sure, it’s unsettling that this appears to not be very fictitious, but with today’s explosion of Big Data, when advertisers can easily track your shopping preferences, social media posts, and email content, is it really that surprising that the NSA or Chinese hackers can do the same?

These latest revelations bring home what most security professionals have long known: the Internet is not secure. Never has been. It was built for openness and academic collaboration. Security was an after-thought, and even then an entire industry has spent the last 20 years boot-strapping security on top of wide-open infrastructure.

Does this mean that businesses should pull back? Not use the cloud? Rebuild all of the on-premise infrastructure that has been dismantled over the last few years? Of course not. That genie will not fit back in the bottle.

But this does bring home some basic operational realities that businesses need to deal with:

  • XKeyscore map

    Data residency doesn’t seem that relevant. The immediate reaction of many countries outside the US has been to stiffen laws that require private data to stay within a specific country. Yet the reach of the NSA, Chinese hackers or even Google doesn’t seem to stop at national borders. The top secret (yet surprisingly nicely designed) slide of X-Keyscore circulating today looks strangely similar to one I’ve been using to illustrate global data compliance laws. It’s a map of the Internet – open, connected, global – just like it was designed (or rather evolved).

    CipherCloud compliance map2

    Assume that no data stored in the cloud is secure, unless you have taken proactive steps to lock it and keep the keys. It’s not good enough to have someone else encrypt your data – they can just as quickly turn it over to the NSA or leak it to the next Edward Snowden or Jason Bourne.

These days, when you’re walking down a busy urban street, you don’t really think you’re invisible to law enforcement or people with nefarious intent. In the age of GPS on every phone, ubiquitous surveillance cameras, law enforcement drones, even the guys driving those cool Google camera cars – privacy in public spaces is long gone. Does this mean you stop going outside? No – but you do take prudent steps to protect yourself and guard what’s private.

X-Keyscore, PRISM, or whatever acronym Snowden leaks next week all demonstrate that the Internet is like a busy public street. Your data is not secure unless you take proactive and adequate steps to encrypt it and keep the keys.

Join over 5,000 subscribers - best practices and tips delivered weekly to your inbox.
We respect your privacy. Your email address will never be sold or shared with anyone else.
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *