5 Things PRISM Teaches CIOs About Doing Business in Today’s World
Revelations that the United States government is monitoring Internet data from tech giants such as Facebook, Google and Microsoft should make your company reconsider where and how it stores data--all while realizing that, at the end of the day, surveillance practices (usually) stay a secret for a reason.
By Jonathan Hassell
It’s been about two months since the sweeping allegations of United States government surveillance, mainly through the National Security Agency, hit the airwaves. It seems like we get a new taste of how deeply the NSA works with various companies to enable that monitoring every couple of weeks, too.
We may never know the full extent of this program, and some details are still in dispute, but it has been long enough for the general public to start forming conclusions about the program. Considering what we now know—or at least what we think we know—here are five considerations for CIOs and technical staff at all companies in the wake of the PRISM monitoring scandal.
Essentially, every service you touch generates metadata—or information about you, the transaction and other details—which is stored and can be accessed at a later date. Understanding this is a crucial step to fully appreciating the implications of a surveillance program like PRISM.
Internally, looking at data retention policies for possible modification should move up your priority list. Externally, interrogating your vendors about what metadata is generated through your business with their companies, as well as how it’s stored and when it expires, takes on added importance.
2. Assume That Most PRISM Press Is Wrong.
Or, to be charitable, assume that it’s at least moderately inaccurate from a technical perspective. As is ever the case, in an effort to make a technical operation understandable and digestible to the average reader, who isn’t an Internet communications professional, a significant portion of the media coverage about the PRISM monitoring contains inaccuracies.
For example, there’s still much debate about what initial reports from The Guardian on NSA “direct access” to servers at Microsoft, Google and so on actually means in practice. The Guardian later reported that Microsoft had provided methods of decrypting communications stored in the company’s Outlook.com and Hotmail e-mail services—specifically, that “Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept Web chats on the new Outlook.com portal.”
It’s unclear if this means that Microsoft helped the NSA penetrate SSL based encryption used during data transmission, or if Microsoft stores the records of chats and their contents for a period of time in an encrypted way and then gave the keys to the NSA, or something else entirely.
Put simply, we don’t know. That makes it hard to guard against this type of eavesdropping. If you don’t know what you are securing against, you may be employing strategies that don’t address the actual breaches that are happening. The media gives you an overall impression of the scale and depth of any monitoring operation, but don’t rely on the reporting for sensible, applicable technical details.
3. PRISM Should Give You Pause About Cloud Migration Plans.
It should be obvious to all that, as in dispute as the aforementioned “direct access” claim is, it’s certainly easier for the NSA to convince Microsoft, Google or any other cloud service provider to hand data to the federal government—or to monitor the data that’s stored there—than it would be for them to convince you to hand over your data stored locally.
These Fortune 50 providers are big fish with big targets on their back and, naturally, much of the surveillance effort is going to be concentrated there. You would know if a black box were put in your data center, or if someone spliced a cable in your server room, and so on.
Now every organization is different. This “threat” of intercepted communications may simply not be on your radar. That’s fine. Other CIOs may decide the benefits to their organization from moving to the cloud and storing data at a large service provider outweigh the risks that their communications will be monitored. That’s also fine.
However, you at least consider the impact PRISM and related programs have on how your data is stored, accessed and monitored—and that you at least make educated, considered decisions about moving to the cloud in light of these revelations.
4. Understand At-Rest Encryption and Plan to Support It ASAP.
While it’s impossible for most of us to know for certain, the source of the PRISM leaks believes encryption is a good bet for protecting communications you don’t want intercepted or monitored. “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on,” Edward Snowden said in a live chat with Glenn Greenwald of The Guardian. “Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”
Unfortunately, encrypting email transmissions is a difficult process, not to mention one that’s not very user friendly. At the least, encrypting data that is at rest—that is, data that’s not being transmitted, but is simply stored, such as files on a hard drive—ensures that data cannot be easily decrypted in plain text when it’s transmitted later.
In addition, some cloud service providers are offering a service that encrypts data at rest on their ervers. Look into these policies and services from cloud providers—and also ensure that your own data center enables this for sensitive information at a minimum. (This is a good security practice for a number of reasons, not just to avoid the NSA.)
5. At the End of the Day, There’s Not a Lot You Can Do.
The very nature of secret surveillance is that it’s secret, in that we don’t often know when we’re being monitored, the extent to which we’re being monitored, and how that monitoring is being performed.
The U.S. government has an almost-unlimited budget, the power and the clout to carry out surveillance in numerous ways we both can and can’t predict. It can tap Internet lines. It can put secret black boxes in datacenters, as we have seen from Buzzfeed’s coverage of the Utah ISP forced to host an NSA server in its racks for nine months.
The bottom line: If we’re all being honest, there’s little action we can take to prevent government monitoring. We can make it more difficult for our communications to be intercepted in plain text and free and clear—though how much more difficult we can make it is arguable. We can store data on premises as much as possible so that it’s not sent over a wire, too. But those are stopgap measures. It’s best to assume if that, shadowy government agencies want to snoop your data, they can.
Jonathan Hassell runs 82 Ventures, a consulting firm based out of Charlotte. He’s also an editor with Apress Media LLC. Reach him via email and on Twitter. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.