The revelation of the National Security Agency’s PRISM domestic spying program has taught the country a great deal about how its government relates to it. However, the PRISM experience also carries some basic lessons for information technology leaders like CIOs; here are five of them:
- The technology press is, at best, imperfect. After some time, it’s become clear that the reporting of the PRISM scandal has been very inaccurate. While the general broad strokes of the coverage have been both accurate and informative, many of the details have been wrong. One example of this has been that no media source has been able to explain exactly what the NSA servers at Microsoft and Google were actually capable of doing.
- At-rest encryption is a business necessity. Keeping data on corporate networks encrypted provides an extra level of security. It protects the data if the physical drive on which it’s stored gets compromised. It also means that, even if the data is transmitted over a compromised connection, that data still encrypted and protected from spying eyes. One revelation that has come out of PRISM is that when end-users control their own encryption, it works to maintain data privacy.
- Data leaves tracks. Much of the PRISM spying has been related to tracking metadata. The information that gets left behind when data transits the network can be useful to anyone trying to get a better understanding of a business. Reconsidering data retention policies both internally and with extranet users like vendors and customers can help reduce the amount of metadata that gets stored, but it doesn’t change the fundamental fact that the metadata exists and can be snooped.
- Use the cloud carefully. Whenever a company loses control of its data to a third-party storage company and allows it to transit network resources that it doesn’t physically control, the company puts its data at risk of being intercepted. This doesn’t mean that cloud computing is no longer suitable for business — it just means that a measure of caution is appropriate.
- Surveillance can’t be avoided. Before the PRISM revelations, most CIOs would never have guessed the depth of government surveillance activities. Secret government surveillance can come from almost any point in your network, and it’s being performed by an entity that has essentially unlimited resources. Ultimately, it’s best to assume that the only way to truly keep information safe from a determined government agency is not to create it at all.