Last May, Edward Snowden, a 29-year-old mid-level IT technician employed by National Security Agency contractor Booz Allen Hamilton, collected and turned over highly classified information to a U.K.
Newspaper reporter about U.S. surveillance programs, shaking federal security agencies and their private contractors to their foundations. Snowden’s information revealed programs such as the interception of U.S.
And European telephone metadata as well as the PRISM, XKeyscore and Tempora Internet surveillance programs. Snowden’s release of NSA material was called the most significant leak in U.S. history by Pentagon Papers informer Daniel Ellsberg.
The leaks have caused significant political damage in the United States and profoundly damaged relations with foreign governments. Snowden’s actions demonstrated that a single mid-level insider can intercept highly confidential information and compromise even the U.S. government.
While this instance primarily affected the federal government, the implications for enterprises are equally significant. What exactly can enterprises do to ensure that an Edward Snowden situation does not hit them? eWEEK and business collaboration security provider Brainloop suggest some fundamental precautions in this slide show.
Keep Security Simple: 10 Ways to Prevent Damaging Data Leaks
By Chris Preimesberger
Don’t Rely On Compliance Policy Alone
Extensive, stringent security policies often burden employees with costly, time-consuming training.
As reading security policies is not a user-friendly experience, employees tend to read only what they feel they need and dismiss the rest.
This apathy signals a need to streamline security policies and make it easier for employees to understand and follow them.
Support Efficient Workflows
The goal for any enterprise security program should focus on supporting an efficient employee workflow.
The employee should be able to open an email, type an address, drag-and-drop a file and decide if it is sensitive.
If it needs to be protected, click a button and send. One mouse click and a little bit of intelligence, and sensitive information is guarded.
The same simple approach should be considered for every point of exchange and revision throughout the sensitive information’s lifecycle.
Focus on Protecting Information vs. Infrastructure
Infrastructure in an age of BYOD is too vulnerable.
A new paradigm to protect the data before the infrastructure is necessary. Properly protected data stays secure when infrastructure gets cracked, which it often does. Protect data first. Companies with sensitive and secure data is at stake desire a detailed user interface that is easy to learn and still provides the utmost control and flexibility into the visibility of such data from those inside and outside the organization.
Ubiquitous Security Through Access Control
A best practice is to ensure that high-value information is matched to high “security” valued people, who are trustworthy, with appropriate permissions and access. Consider all end-users agents of security. End users are also partners and providers, particularly in an age of cloud computing.
This fact calls for provider shielding; the provider should have no capability to access the information located within its customer data once encryption is set for their application and use.
A provider can (and should) still help clients build a private cloud without being privy to its content.
Beware of Consumer-Grade Cloud File Sharing
One of the greatest end-user enterprise security threats is having to compete with the convenience and emergence of consumer electronics and platforms for data exchange and collaboration, such as free cloud-based file sharing. Today, employees need to collaborate.
If the enterprise doesn’t provide a secure file-sharing system, they will certainly use one of the many insecure consumer-grade platforms to get the job done.
‘He Who Guards Everything Guards Nothing’
Frederick II of Prussia said it, but the expression applies here. It prompts leadership to think efficiently about what needs to be guarded. Focus on risk areas and take action on them, rather than safeguarding everything. Where are the obvious and the more obscure risks? Simply put: Secure your vulnerable and high-value data.
Guard Against Inside Jobs
Many security breaches and data compromises are inside jobs; there may be an Edward Snowden down the hall from you. External stakeholders pose risk, but internal stakeholders can pose more. Focus on access and privacy controls and instill security policy and compliance from the inside out. Guard with targeted precision, and your protection will be stronger.
Security Can’t Be an Afterthought; Ease of Use Is Important
Security must be tightly integrated into the professional enterprise technologies that end-user employees are already using, not bolted on afterward. Security solutions should seamlessly and tightly integrate with popular applications that are part of employees’ workflows.
If a busy employee has to close out of Microsoft Outlook or open another program window to secure his email, he will likely skip the step.
Security Should Be Selective but Simple
Easy-to-use technology and a little bit of intelligence could not only guard newly created information but help classify existing unprotected information.
A company can use three easily understood categories of information: a) I know it’s sensitive, so store it in the most secure category of our solution; b) I think it’s sensitive, so store it in a medium security area; c) I know it’s not sensitive, so leave it on a hard drive.
Turn Employees From Liabilities to Security Assets
Easy-to-execute security training and qualification will be most effective and focused as people-friendly to ensure compliance. Remember, most of the time, employees will choose the pressures of their job over the drudgery of reading a security policy or navigating complex technology. Select the best technology to enable the company’s policy. It’s as easy to be secure as it is to just send a file. It costs one click.
Chris Preimesberger was named Editor-in-Chief of Features & Analysis at eWEEK in November 2011. Previously he served eWEEK as Senior Writer, covering a range of IT sectors that include data center systems, cloud computing, storage, virtualization, green IT, e-discovery and IT governance. His blog, Storage Station, is considered a go-to information source. Chris won a national Folio Award for magazine writing in November 2011 for a cover story on Salesforce.com and CEO-founder Marc Benioff, and he has served as a judge for the SIIA Codie Awards since 2005. In previous IT journalism, Chris was a founding editor of both IT Manager’s Journal and DevX.com and was managing editor of Software Development magazine. His diverse resume also includes: sportswriter for the Los Angeles Daily News, covering NCAA and NBA basketball, television critic for the Palo Alto Times Tribune, and Sports Information Director at Stanford University.
He has served as a correspondent for The Associated Press, covering Stanford and NCAA tournament basketball, since 1983.
He has covered a number of major events, including the 1984 Democratic National Convention, a Presidential press conference at the White House in 1993, the Emmy Awards (three times), two Rose Bowls, the Fiesta Bowl, several NCAA men’s and women’s basketball tournaments, a Formula One Grand Prix auto race, a heavyweight boxing championship bout (Ali vs. Spinks, 1978), and the 1985 Super Bowl.
A 1975 graduate of Pepperdine University in Malibu, Calif., Chris has won more than a dozen regional and national awards for his work.
He and his wife, Rebecca, have four children and reside in Redwood City, Calif.Follow on Twitter: editingwhiz