To be honest, my first reaction when reading today’s explosive revelations about the NSA’s X-Keyscore system was déjà vu – I’ve seen this many times before, in the Bourne Identity and dozens of other movies and TV shows. In a big, darkened room, rows of bright young computer analysts work feverishly to track the bad guys. Need the feed from a security camera in London? Click, got it. Want to track phone calls? Hotel records? Email threads? Click, click… piece of cake.
These latest revelations bring home what most security professionals have long known: the Internet is not secure. Never has been. It was built for openness and academic collaboration. Security was an after-thought, and even then an entire industry has spent the last 20 years boot-strapping security on top of wide-open infrastructure.
Does this mean that businesses should pull back? Not use the cloud? Rebuild all of the on-premise infrastructure that has been dismantled over the last few years? Of course not. That genie will not fit back in the bottle.
But this does bring home some basic operational realities that businesses need to deal with:
Data residency doesn’t seem that relevant. The immediate reaction of many countries outside the US has been to stiffen laws that require private data to stay within a specific country. Yet the reach of the NSA, Chinese hackers or even Google doesn’t seem to stop at national borders. The top secret (yet surprisingly nicely designed) slide of X-Keyscore circulating today looks strangely similar to one I’ve been using to illustrate global data compliance laws. It’s a map of the Internet – open, connected, global – just like it was designed (or rather evolved).
Assume that no data stored in the cloud is secure, unless you have taken proactive steps to lock it and keep the keys. It’s not good enough to have someone else encrypt your data – they can just as quickly turn it over to the NSA or leak it to the next Edward Snowden or Jason Bourne.
These days, when you’re walking down a busy urban street, you don’t really think you’re invisible to law enforcement or people with nefarious intent. In the age of GPS on every phone, ubiquitous surveillance cameras, law enforcement drones, even the guys driving those cool Google camera cars – privacy in public spaces is long gone. Does this mean you stop going outside? No – but you do take prudent steps to protect yourself and guard what’s private.
X-Keyscore, PRISM, or whatever acronym Snowden leaks next week all demonstrate that the Internet is like a busy public street. Your data is not secure unless you take proactive and adequate steps to encrypt it and keep the keys.