In IT security – we have failed.

As you might now, I have an interest in IT security and I even maintain a CISSP certification. When reviewing everything that we now know about the NSA, we, as an industry have failed – miserably.

When IT professionals are charged with “keeping data secure” – it means, keep it secure from everyone. The fact that data is secure only to the vendor-level, means that the vendor is vulnerable to attacks and to government requests. You would think that for just liability reasons, vendors wouldn’t want users data, but that is not how things ended up.

The 4th Amendment of the U.S. Constitution says:

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

It is my personal and professional opinion that in the modern day, a persons electronic data is part of their “papers, and effects”. That means, to me, that it should be treated with the same level of security as your birth certificate, social security card, or any other personal document. It also means, to me, that the NSA collection of all of our electronic data is completely unconstitutional. However, while it is still “legal” – companies are compelled to comply.

I’ll leave it to the lawyers to figure out that part – but meanwhile, why was this data even available to provide, in the first place!? In an ideal world, when the NSA comes to your company and demands that you turn over all the data of your customers – your answer should be:

“I can’t! It’s all encrypted, even WE can’t read it!”

Why is this not the case? The data should only be in an unencrypted state in-memory, briefly – while the user is logged in. Right?

The “Free Lunch”:
It might not be obvious to everyone, but anytime you use a “free” service – there is a reason it is free. If you look in the terms of service and/or privacy police, you’ll see that most of these companies analyze every bit of your information and often sell it to advertisers. They use every bit of your data to build a very detailed, creepy, stalker-like profile of everything they know about you – and sell it to anyone who will pay them.

So, free services like: free e-mail, facebook, twitter, instagram, tumblr, SkyDrive, Google Drive, DropBox, any free service from Microsoft, Google, Yahoo, etc – they all work similarly.

In these cases, it makes sense that these companies have no interest in being locked-out of our data, because out data is the ONLY reason they are giving us this free service!

The bottom line here, you have a choice. You can choose to not use these free services. You can pay for privacy. For example, Silent Circle (https://silentcircle.com/) just shut down their secure e-mail (following what happened to http://www.lavabit.com) – but they still have secure phone app for making secure calls and secure instant messaging.

Or, you could also optionally use a 3rd-party encryption product (like PGP, for example) to encrypt your e-mail. Either way, just be aware that these “free” services have no interest (financially) in being locked-out of your data. In fact, they are making a living off being able to see it. But – if they can see it, so can hackers, and so can governments.

Pay Services:
This is what I find most frustrating. There are legitimate, pay services that truly don’t know what your data is (like Secure Circle and LavaBit) – but why isn’t EVERY pay service like this? If I am paying a company (so they don’t need to sell my data to make money) – why isn’t all of my data encrypted?

This is similar to advertisements and cable TV. When you get “free” television, they have to pay for the airtime with commercials. When you “pay” for HBO, or Showtime – since you pay extra for it, you don’t have commercials. Same concept here.

There is one fundamental reason, I’ve realized, why everything isn’t encrypted, by default: it’s not easy enough, yet.  The main reason is that no database technology fundamentally supports encryption in the right way. Microsoft SQL Server supports encryption, but requires the key or certificate to be ON the server. This means if you can compromise the server, you can also compromise the data – which defeats the purpose!

So, until I can pass in a key or certificate as part of my SQL query, developers are left trying to create one-off solutions to make sure things are encrypted properly. This can be problematic, and difficult to implement – so people choose to the path of least resistance.

We need better technology.

Bottom Line – As An End-User:
I disagree morally, legally, and ethically with what is going on with the NSA and other government spying. So I will continue to look for other products and services that encrypt everything I do.

In the olden days it was looked at suspiciously if someone wanted to encrypt their e-mail, IM, and phone calls. But now, it just seems like the reasonable thing to do.

If I’m suspected of a crime or am being charged with a crime, they can subpoena my encryption certificate. But if not, I am Constitutionally-protected to my right to privacy. Even beyond that though, it only makes good sense to simply keep my private data out of EVERYONE’s hands, unless they explicitly need it – right?

Bottom Line – As An IT Professional:
If you work for an organization or company, and if you’re business model is not based off selling user data, you should be encrypting everything. Period.

Even if you disagree with me and think the NSA general warrant is legal. Imagine this scenario: the government requests data from your company, you supply it, they ultimately lose a case against one of your clients. Your client should, and likely will sue you, for damages and legal costs because you were complicit in supplying information – which ultimately wasn’t yours to give.

For me, for many reasons, if I have a paying customer – I am going to go out of my way to make sure that data is encrypted with their key, or their password phrase – or whatever… something that I don’t know. I WANT my data to be useless to hackers and I WANT to be able to tell governments that I simply can’t provide the users data and that they need to get the data from the user, not from us.

I hope more IT professionals see that we, as an industry, have really failed here. We all need to do more – myself included.

Posted in Best-practices, Cloud Computing, Computers and Internet, Infrastructure, New Technology, Professional Development, Security, Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Archives
Categories

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2 other followers

%d bloggers like this: