Five things PRISM teaches CIOs about doing business in today's world

The bottom line: If we're all being honest, there's little action we can take to prevent government monitoring. It's best to assume if that, shadowy government agencies want to snoop your data, they can.

It's been about two months since the sweeping allegations of United States government surveillance, mainly through the National Security Agency, hit the airwaves. It seems like we get a new taste of how deeply the NSA works with various companies to enable that monitoring every couple of weeks, too.

We may never know the full extent of this program, and some details are still in dispute, but it has been long enough for the general public to start forming conclusions about the program. Considering what we now know-or at least what we think we know-here are five considerations for CIOs and technical staff at all companies in the wake of the PRISM monitoring scandal.

Feature: The NSA Security Quagmire

1. Everything-Yes, Everything-Leaves a Trail.

Essentially, every service you touch generates metadata-or information about you, the transaction and other details-which is stored and can be accessed at a later date. Understanding this is a crucial step to fully appreciating the implications of a surveillance program like PRISM.

Internally, looking at data retention policies for possible modification should move up your priority list. Externally, interrogating your vendors about what metadata is generated through your business with their companies, as well as how it's stored and when it expires, takes on added importance.

2. Assume That Most PRISM Press Is Wrong.

Or, to be charitable, assume that it's at least moderately inaccurate from a technical perspective. As is ever the case, in an effort to make a technical operation understandable and digestible to the average reader, who isn't an Internet communications professional, a significant portion of the media coverage about the PRISM monitoring contains inaccuracies.

Early Reports: NSA, FBI Collect Content From Google, Facebook, OthersThen: Microsoft Helped NSA Circumvent its Own Encryption

For example, there's still much debate about what initial reports from The Guardian on NSA "direct access" to servers at Microsoft, Google and so on actually means in practice. The Guardian later reported that Microsoft had provided methods of decrypting communications stored in the company's and Hotmail e-mail services-specifically, that "Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept Web chats on the new portal."

It's unclear if this means that Microsoft helped the NSA penetrate SSL based encryption used during data transmission, or if Microsoft stores the records of chats and their contents for a period of time in an encrypted way and then gave the keys to the NSA, or something else entirely.

News: E.U.-U.S. Data Sharing Deals Come Up for Review Amid Prism Scandal

Put simply, we don't know. That makes it hard to guard against this type of eavesdropping. If you don't know what you are securing against, you may be employing strategies that don't address the actual breaches that are happening. The media gives you an overall impression of the scale and depth of any monitoring operation, but don't rely on the reporting for sensible, applicable technical details.

3. PRISM Should Give You Pause About Cloud Migration Plans.

It should be obvious to all that, as in dispute as the aforementioned "direct access" claim is, it's certainly easier for the NSA to convince Microsoft, Google or any other cloud service provider to hand data to the federal government-or to monitor the data that's stored there-than it would be for them to convince you to hand over your data stored locally.

These Fortune 50 providers are big fish with big targets on their back and, naturally, much of the surveillance effort is going to be concentrated there. You would know if a black box were put in your data center, or if someone spliced a cable in your server room, and so on.

Now every organization is different. This "threat" of intercepted communications may simply not be on your radar. That's fine. Other CIOs may decide the benefits to their organization from moving to the cloud and storing data at a large service provider outweigh the risks that their communications will be monitored. That's also fine.

More: Prism Should Make Businesses Think Twice About Cloud Computing

However, you at least consider the impact PRISM and related programs have on how your data is stored, accessed and monitored-and that you at least make educated, considered decisions about moving to the cloud in light of these revelations.

4. Understand At-Rest Encryption and Plan to Support It ASAP.

While it's impossible for most of us to know for certain, the source of the PRISM leaks believes encryption is a good bet for protecting communications you don't want intercepted or monitored. "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on," Edward Snowden said in a live chat with Glenn Greenwald of The Guardian. "Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it."

Unfortunately, encrypting email transmissions is a difficult process, not to mention one that's not very user friendly. At the least, encrypting data that is at rest-that is, data that's not being transmitted, but is simply stored, such as files on a hard drive-ensures that data cannot be easily decrypted in plain text when it's transmitted later.

Analysis: Does Encryption Really Shield You From Government's Prying Eyes?More: Spy-proof Enterprise Encryption is Possible, but Daunting

In addition, some cloud service providers are offering a service that encrypts data at rest on their ervers. Look into these policies and services from cloud providers-and also ensure that your own data center enables this for sensitive information at a minimum. (This is a good security practice for a number of reasons, not just to avoid the NSA.)

5. At the End of the Day, There's Not a Lot You Can Do.

The very nature of secret surveillance is that it's secret, in that we don't often know when we're being monitored, the extent to which we're being monitored, and how that monitoring is being performed.

News: 'Stop Watching Us' Coalition Aims to Stop PRISMMore: Opponents of NSA Surveillance Aren't Giving Up After House Vote

The U.S. government has an almost-unlimited budget, the power and the clout to carry out surveillance in numerous ways we both can and can't predict. It can tap Internet lines. It can put secret black boxes in datacenters, as we have seen from Buzzfeed's coverage of the Utah ISP forced to host an NSA server in its racks for nine months.

The bottom line: If we're all being honest, there's little action we can take to prevent government monitoring. We can make it more difficult for our communications to be intercepted in plain text and free and clear-though how much more difficult we can make it is arguable. We can store data on premises as much as possible so that it's not sent over a wire, too. But those are stopgap measures. It's best to assume if that, shadowy government agencies want to snoop your data, they can.

Jonathan Hassell runs 82 Ventures, a consulting firm based out of Charlotte. He's also an editor with Apress Media LLC. Reach him via email and on Twitter. Follow everything from on Twitter @CIOonline, Facebook, Google + and LinkedIn.

Read more about regulation in CIO's Regulation Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags PRISMsecurityregulationcloud servicesnsacloud securityGovernment | Regulationencryptiongovernmentgovernment surveillance

More about EUFacebookFBIGoogleHotmailMicrosoftNational Security AgencyNSAPrism

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jonathan Hassell

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts