You run a tight computing ship. Your organization's security profile is healthy, and you're confident about all the firewalls, single-sign-ons, intrusion detection, end-point protection, and other mechanisms you put in place.
When your employees leave the office, though, the first stop they make is to a store where they're electronically tracked. A deep identity dossier is available on each of them — and on you. What does that mean for the security of your company's IT? When that employee returns, and does his work through a virtualized server, is he more or less, likely to be cracked? What can you do about these new threats?
No one knows. The scandals aren't public yet. They're starting to emerge, though, and they're going to end up on your doorstep.
Unless your organization is very unusual, it's almost certain that you'll live the old joke about the bear. The bad news is that you can't outrun the bear, and your network absolutely is vulnerable. The good news, though, is that, most of the time, you only have to be faster than the others the bear is chasing. Make your system a bit tighter than the average, and perhaps the bad guys will move along in search of easier prey.
Here are seven areas where you need to learn the answers before your bosses or crackers do:
Which Laws Govern the Cloud?
By now, you know to be careful about compliance and retention, not just so that you are operating legally, but to armor yourself against being collateral damage. Even if you and your company are entirely free of crime, and you get along great with all your customers, you still could find misery when a business partner or even competitor ends up in court and takes you along.
Once your records are in others' hands — whether government or a civil actor — through a discovery process, they're available to "leak." This isn't about conspiracies or dark designs; it's simply a fact that mistakes happen, and the more places your data are duplicated outside your control, the more likelihood an accident will affect you.
You're probably already investigating the security of the cloud. In principle — and often in practice — “[[T]he security of the cloud is going to be measurably better than the security we have in the curren...,” in the hopeful words of US Congressman Dan Lungren, chairman of the House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies.
Not so clear, though, is how national laws operate in the cloud. Many governments claim extraordinary powers to decrypt and inspect data in their jurisdictions. Even though the conflicts and difficulties of these claims have been evident for years, there has been little resolution to this point. It's still hard to know exactly what will happen the next time a warrant or subpoena is served on a part of the cloud.
For the moment, the best you can probably do is to ask each prospective cloud vendor to document how privacy and disclosure laws apply in its cloud. None of the alternatives you'll consider will be perfect. It's reasonable, however, to look for one that best fits your situation.
Virtualization Promises and Pitfalls
Virtualization has a lot in common with cloud computing. At an executive level, virtualization should allow for convenient divisions of labor to improve utilization, uptime, and, among other qualities, security. Virtualization promises that applications are better insulated from each other, and provisioned in more standard ways; both these trends ought to contribute to security.
Virtualization practice remains young, though, and not all the kinks are worked out. In particular, the "base" or host for a virtualization farm needs more careful protection than it often receives. Make sure you keep the policies for your server administrators in balance with those for the individual virtual environments and operators they enable.
Biometrics Across the Threshold
Biometric authentication is available in the mass market now. On the whole, the technology is good, and contributes to network security.
Keep these ideas in mind:
Run a pilot project. Bring fingerprint readers in, sure, but run them with a small population first to shake out any difficulties. Adoption remains too low for it to be safe to roll out biometric authentication in a "big bang" to all the staff of a non-technical organization.
As with so much of computing, biometrics has the potential to involve you with the legal system. In principle, authentication is "one-way." There's no way to reconstruct from what's in the computer how a person's (validating) fingerprint looks, so the police should have no interest in the keys in your database. I'm personally not convinced; a warrant to retrieve these keys and the library which uses them wouldn't surprise me.
Perhaps more likely: a warrant specifically to retrieve the physical fingerprint reading pad on a particular desktop unit, with the aim of lifting a print from it. This is effectively no different for the organization, though, from any warrant to remove equipment which might bear on an investigation or suit.
Even more likely is an exploit going the other way. Health clubs, libraries, voter registration departments and other "civilian" agencies are investigating (and in some cases deploying) fingerprint-based identification systems for patrons’ convenience. In principle, these implementations can't be leveraged to attack another unit, even one based on the same technology. I predict that the defenses will turn out to depend on correct installation, though, and that outcome is inevitable: Someone won't reset the factory password, or a physical unit will turn up missing, or a database host will be inadvertently copied to a Torrent known to every cracker. The desktops in your installation then can only be accessed by their rightful users — along with anyone else who copied their fingerprints.
Biometrics are worthwhile. The exploits I describe above still keep at least a couple of physical barriers between crackers and their targets within your organization, probably enough to encourage them to seek elsewhere. Realize that the barriers aren't absolute.
There are at least two other things your users do outside the office that threaten what happens inside it. One is that they re-use passwords. Even sophisticated business people think of "TheNameOfMyDog" or "TheBigCityWhereIWasBorn" as their passwords, which they use not only to authenticate against your highly-secure database applications, but also with Facebook, Blockbuster, and countless other sites. Those other sites have been and will be cracked. Your applications are open.
It's unreasonable to expect users to behave differently. Most of them fill their days thinking about things that are more compelling and long-lasting than computer security, and they're really not in a position to behave more securely. The best leadership we can exhibit is not to adopt policies that make good security behavior hard, as this XKCD cartoon illustrates.
The long-term solution to password difficulties is to move in the direction of passphrases combined with digital and physical keys.
The other thing that users do away from work is even harder to condemn: They have lives. In the modern world, that means they leave digital traces. Those traces, even at their most slender, can almost certainly be reconstructed to profile identities with alarming accuracy.
What can security officers do about this? Not much, beyond cautioning colleagues not to assume that an employee is the only one who has detailed knowledge about his own personal characteristics.
Thin Clients for Mobile Workers
Virtual Private Network (VPN) technologies are excellent, and almost keeping up with the challenges they face as workforces increasingly go mobile. It's a stiff contest, though, especially when governments are among the infectious vectors. To tilt the odds in your favor, think seriously about thin clients as your mobile endpoints. A Chromebook, for example, doesn't solve all security problems, but it might take care of enough to free your time to think about deeper solutions. Virtualization vendors throughout the last year have announced plans that hint at a world where cheap, insecure, “disposable” mobile display devices can effectively run well-encrypted connections back to safe desktops.
Development Needs Its Own Data
Finally, it's time to stop using your customers as unwitting test material. However much developers and testers like to have "real samples," they need their own data. Do not copy a database, even an old one, and assume that other departments will protect the privacy of the contents.