The Trichotomy of National Security, Data Privacy, and Data Protection
This post isn’t about a person’s right to privacy, and it isn’t about a corporation’s need to protect its data. It does, however, have everything to do with solving the underlying data security problem facing citizens, businesses, and governments in today’s cloud-heavy, borderless world. Before we get to a possible solution, we first need to frame the problem and address why the siloed approaches taken by the security industry cannot solve it. This is the first post of a multi-part series.
I was first exposed to the concept of digital communications security when I joined the US Air Force in 1989. At that time, my views on data security were pretty black and white, to say the least. Essentially, I had only two opinions on the matter:
- Classified communications had to be kept secure.
- The government has to have access to any and all data, both public and
There were no shades of grey.
Eight years (and a few jobs) later, everything changed after I was recruited into a little startup called Pretty Good Privacy (PGP). My views expanded significantly as I began to understand international ramifications of the surveillance state and the perils facing human rights activists, dissidents, and journalists — here and abroad. I was internally conflicted; privacy and free speech couldn’t truly exist in a surveillance state. How can we achieve both when there are truly legitimate cases for government access to private data?
After almost nine years in the security solutions market, I was recruited into one of the largest banks in the world — operating in over 100 countries. While I was an expert on tactical security solutions, I quickly learned I knew very little about the complexities of data protection at a massive, globally distributed organization. Protecting data served multiple purposes, from preventing data leakage and regulatory compliance to business enablement. Data had to be protected, not just from hackers and organized crime, but also from nation-states conducting state sponsored industrial espionage. Data had to be both protected and surveilled simultaneously while adhering to an ever evolving landscape of regulatory compliance restrictions.
Let’s sum up where we are so far:
- Countries, under the auspices of law enforcement as well as national security, have (under due process and oversight) the right to access its citizen’s data and communications.
- US Citizens have a right to privacy and free speech.
- Corporations must have the ability to protect, surveil, and disclose their data depending on the situation, regulations, and residency of the data.
So, how can we solve those seemingly conflicting mandates while taking full advantage of the benefits offered by the cloud, mass mobile adoption, and a global marketplace, and why hasn’t this problem been solved before? Cryptography isn’t new. The needs for privacy, data protection, and national security are not new, so why are we still talking about this?
The real answer, sadly, is that those of us in the data protection industry have been lazy and slow to innovate. Amazing, disruptive innovations have sprouted up all around us, and yet, here we sit answering every data protection problem with the same cryptography-based technologies we all embraced almost 20 years ago. Sure, we have lipsticked this pig with key management solutions, containers and CASBs but it’s still just a slightly prettier pig.
Don’t get me wrong; the problem is not inherently in the cryptography, but rather, how we are leveraging it. Our approaches to both symmetric and asymmetric cryptography have not really evolved despite the exponential growth of how and where we access our data. We are still stuck focusing on binding keys to either people or things and then getting the data to those keys to perform encrypt and decrypt operations. Why is that? The people and the things are not really what’s important here. To quote an old boss and good friend, “it’s the data, stupid!”
We spend so much time, money, and effort protecting systems, applications, and containers because they house sensitive data. Our individual siloed security solutions protect data at a snapshot in time, within a specific system. That data then moves to another system where we have another security solution and another snapshot; then maybe, it goes through a CASB into the cloud, another snapshot. And, then to a protected container on my BYOD, another snapshot. What about when I need to collaborate with a partner, a customer or an auditor? What about when I need to legally disclose data to the government? You might be saying, “but, Mike, the big cloud providers let me bring and/or manage my own keys. Doesn’t that solve all my problems?”
Well, it doesn’t for a few reasons:
- Unless all of your data lives its entire life in this single cloud provider, it becomes yet another snapshot
- Allowing your keys and data to be in the hands of any service provider leaves you at risk. Insider threats, cloud compromise and government subpoenas just to name a few. When your data and your keys reside in the hands of the cloud provider, they are the ones the government will compel to get your data.
- When you leverage the key systems for any of the cloud service providers as they stand today, it is essentially a light switch. You either allow the provider access to all of your data, or you revoke access to the key thus severing the relationship. You cannot pick and choose which bits of information the provider has access to, you cannot for example block Microsoft from seeing the mergers and acquisition details between Yahoo and Google your company happens to be brokering (Hypothetical scenario, not based on real events).
In this multi-part series, I will take you through several real world data lifecycle scenarios — covering global finance and connected health care — to demonstrate how the systems we’ve deployed are struggling to keep up with demands on today’s data. As we shift our focus from the systems protecting the data to the data itself, a pattern will emerge outlining both the requirements and the amazing possibilities of a new industry framework, allowing for true data freedom while maintaining complete data control and visibility. Spoiler: I am not only an altruist, but there is obviously money to be made here.corporate for national security.