This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Has Prism scattered trust in IT security?

Share this article:
Has Prism scattered trust in IT security?
Has Prism scattered trust in IT security?

In the IT security and communications markets, it's been difficult recently to escape exposure to what's known as ‘lawful interception'.

It's a concept familiar to many working within the security industry, and even to many members of the general public: A court order is issued for surveillance, and it is then done with the cooperation of the ISP, telco or network operator. It's a well-documented, clearly traceable process with a legal basis and offers no surprises.

However, the uncovering of the NSA's Prism surveillance project, which has allowed industrial-scale access to the data and voice traffic, stored information, file transfers and social networking activity of both individuals and organisations without their knowledge or permission, has provoked a mass outcry. 

It's bad enough that cyber criminals have for years been illicitly accessing data and intellectual property, and using it to their own ends – but it's even worse to find that government agencies may have been doing the same.

While government officials rush to inform companies and the public that Prism isn't being used on them, and there are safeguards to ensure that their data and records are not being compromised, this is doing little to reassure anyone.  

Undermining the ‘trusted network'

Of course, there has been speculation for some time that the intelligence agencies of the superpowers have had the ability to unlawfully monitor individuals and gather information using in-depth knowledge of networking and security solutions and software.

Now that this speculation seems to have been confirmed by the news about Prism, it raises a critical question: Can equipment and software originating from countries involved in such information-gathering really be completely trusted and relied on for corporate security?

Recent developments involving the multinationals that provide much of the networking equipment, communications applications and search engines that forms the infrastructure of the internet and other global networks, indicate potential threats to privacy.

The fact is that the majority of all internet searches use a single search engine, a substantial proportion of smartphones come from one vendor, and the majority of operating systems and cloud email servers originate from just one source. Any of these organisations might be required to assist their domestic government with information gathering related to national security or perhaps for economic advantage.

Trust me – and my 800,000 colleagues

This begs further questions. Can these suppliers be trusted with private information or sensitive intellectual property? Could confidential business intelligence and intellectual property be secretly taken and used for economic gain?

This activity need not be supported by a government department: Over 800,000 people in the US hold top security clearances; that's about the same as the population of the city of Stockholm. Can every single one of those 800,000-plus people be fully trusted? Remember, we now know about Prism because of the actions of a single individual who had access to top-security material.

Cloud applications provided by Facebook, Google, Skype, Yahoo and others are widely used by business to attract customers and to build relationships with them. Banks, for example, might interact with customers using applications on social networking sites.

Even if the meeting doesn't involve exchanging confidential information, it could possibly open a route via the application into the server farm of the bank, to retrieve protected information.

Possible backdoors in networking equipment such as security gateways and firewalls must also be considered. If such backdoors exist they could give an external third party an untraceable way to interfere with traffic flow.

One method of making use of a backdoor in networking equipment is known dynamic port knocking, which is undetectable and leaves no trace, but could give a third party total control, allowing them to eavesdrop on, or intercept internal traffic.

So with accusations and counter-accusations flying between the West and the East about who has been accessing what information, and to what end, and denials from the vendors named in Prism, where does this leave organisations that have serious questions about the integrity and trustworthiness of their networking and security solutions?  

I believe that organisations will start to evaluate their risk of exposure to government-sanctioned snooping. They will reconsider their usage of, and reliance upon, solutions from the established ‘big names' from both the West and the East, and will start to evaluate alternatives that have not been tainted by this loss of trust.

As the old saying goes: Trust is like a mirror; you can fix it if it's broken, but you'll still see the cracks.

John Vestberg is CEO of Clavister

Share this article:
close

Next Article in Opinion

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in Opinion

The new rise of biometrics

The new rise of biometrics

Biometric id options need appropriate mobile computing support to ensure that they too are not compromised says Jon Geater.

Cyber risk management: A boardroom issue

Cyber risk management: A boardroom issue

Having comprehensive cyber risk policies that are not followed can be as detrimental as not having a policy at all says Peter Given.Good who advises that good risk-insurance will demand ...

How Edward Snowden boosted infosecurity business and...cybercrime

How Edward Snowden boosted infosecurity business and...cybercrime

Whatever Snowden's motivations, Ilia Kolochenko contends that the industry has misused the resulting information and often sold kit rather than true security solutions and expertise.