The recent revelation that the NSA collects massive amounts of user data from various technology companies has caused many IT pros to re-evaluate their user policies and data privacy tactics.
Though news of the National Security Agency (NSA) surveillance program
I assume the only data I really control is the wallet I keep locked in my drawer at work.
Web services and software engineer, MiTek Industries
One company that has done some of those things is Money Crashers Personal Finance, a media publication based in Denver. It has revamped its nondisclosure agreements for employees, business partners and third-party vendors to make them all-inclusive and as comprehensive as possible. It has also reinforced its policy that only top-level IT staff members have access to the company's most private data, according to Gyutae Park, head of IT at Money Crashers.
For Money Crashers, one pertinent lesson to take away from the NSA surveillance scandal is not to inherently distrust moving data outside the firewall, but rather not to put so much blind trust in employees, Park said.
"What is cause for concern is not knowing who has access to our data," he said. "The last thing we want is for someone within our organization to decide to leak all private materials regarding our company."
IT admins are typically some of the most trusted people in organizations, and have access to all the data, just like Eric Snowden did , Park noted.
The PowerPoint leaked by Snowden about the NSA's PRISM program detailed the agency's ability to collect emails, photos, videos and more from nine tech companies including Microsoft, Google, Facebook and Apple.
"From a security perspective, we tend to devalue the insider threat," said Scott Matsumoto, head of the mobile security practice at Cigital Inc., a software security consulting firm based in Dulles, Va.
There has been a tremendous amount of debate, however, about whether PRISM allows direct access to these companies' servers through a back door, somewhat limited access, or access only through the fulfillment of individual, legally-required requests. There's also been some confusion over how concerning the NSA surveillance is, because the NSA has allegedly collected metadata rather than actual data, such as contact lists, photos, intellectual property and personal information, Matsumoto said.
"The distinction between data and metadata is the difference between snooping in by recording an actual phone call or only having information that a phone call was placed," he said.
The problem for organizations is that metadata generated by cell-phone calls or employees' Internet use can easily be turned into usable data that puts them at risk.
All nine of the tech companies listed as current NSA providers have denied allowing the NSA direct access to their servers, and now several of them, including Google, Twitter and Microsoft, are calling on the federal government to allow them more transparency regarding government data requests.
"At the end of the day, it's a question of how paranoid we want to be," Matsumoto said. "In a consumer-driven world, privacy and security is the primary goal that IT pros should have for the data we are holding on behalf of our customers and employees."
Can you enhance data privacy?
Meanwhile, the tools and methods IT pros use to secure their organization's data are still the same, whether the threat comes from a foreign organization, a group of rogue hackers or potentially the U.S. government, said Justin Daniels, a Web services and software engineer at MiTek Industries, an engineering services company based in St. Louis.
"I assume the only data I really control is the wallet I keep locked in my drawer at work," Daniels said. MiTek uses a cloud provider for one of its major systems and is actively looking at Windows Azure and Amazon Web Services to see which other systems it can strategically move to the cloud. That plan hasn't changed or been altered since the NSA story broke.
The company relies on Citrix System Inc.'s Receiver for remote laptop access to its network applications and email. It has established a tiered approach for granting access to mobile workers. For example, corporate managed and owned devices have the most access, while employee-owned devices have less access. Both scenarios allow users to take advantage of a secured app for file syncing from Accellion Inc.
"Coming up with those user policies is important," Daniels said. "There's a lot of technologies and policies we could implement for security that our users would just find inconvenient. Our challenge is still to be secure without being too secure."
Daniels worries that adding too much security and policy over what MiTek's employees can do could cause them to circumvent the IT department and introduce undue risk to the organization.
Others suggest making use of data encryption technology and leaving the firewall, or forgoing the cloud and third parties for data backups in favor of on-premises backups.