Many have been jumping on the bandwagon of criticism for both sides of the issue of the Snowden leaks. Discussions are flying around LinkedIn and other sites about who is to blame ( http://www.theregister.co.uk/2013/08/30/snowden_sysadmin_access_to_nsa_docs/ ). All of this further enhances my belief that organizations, large and small, need to re-evaluate business as usual.
There is a push for security against external attacks; however, it has been well documented that most threats come from inside to allow passage inadvertently or maliciously take / leak classified information. I use the term classified intentionally, not to indicate governmental but organizational context. Classifying information is not just the responsibility of the government but of each organization (Information: Integrity, Confidentiality, Availability). A couple month old advertisement for FedEx touted the cost saving mentality by a company that reprinted on the blank side of used paper. An individual in the meeting turned the page over to ask about the title on the back, “Executive Compensation List”. The head of the meeting dives across the conference table to grab the ‘list’ out of the attendee’s hand. I found this hilarious as it points out that too often business as usual does not look at the big picture. Discrete parts certainly need to be refined by subject matter experts; however, the whole needs to be examined as well.
It has been my experience that many companies do not actually classify information into discrete classes to be protected explicitly to that class. Some do not do so because they fear the massive quantity of analysis that awaits them in such an undertaking. Some do not do so because business as usual mentality says that they are ‘just fine’. Ironically, the rational for classification has always been a part of the business culture (i.e. need to know, and the employee does not need to know).
Some technology companies have used this notion to promote the sale of more hardware to store the information. While storage tiering is a needed element of an enterprise strategy, it does not fulfill the priority to classify information and protect it accordingly. The advent of cloud computing, big data, and the next big technology wave on the horizon (whatever it may be) have only cemented this fact.
Policies as set forth by the National Institute of Standards and Technology (NIST) which ‘dictate’ how private and public firms must protect how they connect, how they handle/exchange information, and how they store information. What I see in all the stories published about the incident is a collection of facts that indicate the NSA did not follow some of those standards. I will be the first to admit that I do not know exactly how he bypassed security (which I am sure there was). What I can say with certainty is that business as usual within most organizations must be re-examined.