The NSA isn’t the only government agency reeling from “the Snowden disclosures.” Whatever your views on the young man’s actions, the impact will be felt in every government, military and intelligence agency around the world.
According to NBC News, Snowden had access to NSA servers via a thin client computer. The thin client acts as a poorly secured projector which nonetheless allows a user to connect a thumb drive and copy data.
Last summer, Bradley Manning (of Wikileaks notoriety) was sentenced to 35 years for leaking over 700,000 classified documents. Manning downloaded data from army computers and was able to copy it to an SD card and burn a CD-R copy.
While German and Brazilian leaders publicly decry American espionage, the spymasters have learned a valuable lesson:
Never allow data on employee devices or computers
IT managers responsible for securing classified data are like chess players. They are paid to anticipate future moves by their adversaries. The benefits and risks associated with mobile technologies spread at the speed of light.
Your data belongs in one place and one place only – your datacenter. The rule is simple – once your data leaves your datacenter to employee devices and PCs, game over.
The answer is in the cloud
Now that we’ve determined that all of your data remains on your datacenter, how do we allow employees to work?
The virtualized enterprise cloud
Unlike regular transferred data, virtualized data is raw data that you can control. Sending bitmaps is a lot safer than sending real data. It severely limits your potential losses. What if Snowden had been using a virtualized cloud session in his role as an NSA sysadmin? The server in Washington or Virginia would have stored classified data, as it does now. Instead of a thin client, Snowden’s computer or device would have acted as a display. In this scenario, Snowden would have tried to copy NSA data from a virtualized session and discovered that there was no data to be found.
The same goes for Bradley Manning. What if he had logged into a virtualized session while serving in Iraq? He would have connected his SD card to the army computer and discovered there was nothing to copy.
There is no way to prevent every data leak just as there is no way to attain a 0% crime rate. But we can – and should – make it harder. We can begin by preventing massive data exports. The next Snowden can take screenshots or manually take photos of the device, thereby creating a “lossy data export.” It is a lot easier to spot a government employee engaged in a “clicking frenzy” than it is to catch him in the act with a thumb drive. Screenshots will never get you 700,000 classified documents.
Virtualization isn’t new, nor is the cloud. The innovation lies in mixing these two wonderful tools. The right recipe will go a long way to solve the challenges of modern data security.