New Security Revelations: Governments Spying More than Expected
The New York Times, The Guardian, and Pro Publica are jointly reporting on new revelations about the extent of U.S. and U.K. (in particular) government surveillance of Internet communications. The revelations come primarily from U.K. GCHQ documents characterizing GCHQ and NSA capabilities. Former NSA contractor Edward Snowden obtained the documents and shared them with media outlets. Bruce Schneier, a security expert advising The Guardian, comments on the revelations and offers some practical advice.
I'm still absorbing the implications of these revelations. If they're true, I tend to agree with the security experts who are concerned about risks to people and their private information. One of the important roles of government is, ostensibly, to protect its citizens. If the government continues trying to undermine IT security in various ways, the government is making its own citizens easier to attack. Which is exactly backwards, of course: a security agency should be promoting the safety and security of its citizens, not undermining it. It doesn't take a Hollywood movie or even an Edward Snowden to understand that if the "good guys" can get in then so can lots of "bad guys." And the "good guys" have a lot more to lose when they're vulnerable.
I agree with Bruce Schneier that the IT engineering community will be doing a lot of work in this area over the coming weeks, months, and years to improve IT security and to better protect privacy. These revelations will also probably spur a lot of political discussion about the appropriate role of government and what the limitations on government should be. That's not a new debate, nor is it one that should ever end. In my view we must constantly remind ourselves of the Fourth Amendment to the U.S. Constitution, and we must meet or exceed that high standard.
OK, what about mainframes? Bruce Schneier's advice is heavily client (end point) focused, and that's appropriate for his readership. In the world of servers and enterprise computing there are also important considerations, and I would advise all IT professionals to pay close attention to security discussions and improvements coming out of the IT engineering community. I would also point out that I see way too much carelessness. I'm not talking about whether extremely well funded government intelligence agencies can access your applications and databases. I'm talking about rank amateurs. For example, do you have 3270 "green screen" terminal connections to your mainframe, for end users and/or for administrators? If yes, are those connections encrypted? You're sending mainframe user IDs and passwords across those links every day, across your wide area network perhaps. They're not encrypted, in the year 2013 (or even 2003)? Really? When exactly are you going to take security even half seriously?
As another example, is your idea of application integration to dump half your customers' most sensitive personal information into sequential files every night then FTP that — unencrypted of course — to dozens of different distributed servers, only to run a poorly secured application? How is that possibly secure? How is that being a responsible steward of your customers' private information? It isn't, yet I see it practically every day. Too many IT people think it's a good idea to copy data everywhere, all the time. There's no way you're ever going to protect your organization against even rank amateurs with that architectural approach. Stop copying data and start securing it. That means, paradoxically, opening up your mainframe to authenticated, authorized, and (usually) encrypted, direct access to application and information services. Why, just last week I had a conversation with an IT manager about this very issue. That manager questioned whether it was secure to access DB2 for z/OS directly from a PC-installed productivity tool. Compared to what? Compared to extracting all the data (not just the records the end user is supposed to be accessing) to a flat file, FTPing it (on a clear wire) to another database running on Microsoft Windows (!), then accessing it there, without any security context whatsoever? Of course that isn't secure. And I'm going to partially blame "mainframe people" — you know who you are — for setting arbitrary "security policies" which end users inevitably must circumvent in order to get their jobs done, or because they think they're "saving MIPS." I've even seen end user departments set up elaborate screen scraping tools on batteries of client PCs in order to perform data extracts, because that's what the "mainframe people" and their "security policies" require them to do to keep the business running. This madness must stop!
Now, for those two organizations in the world that have eliminated the low hanging vulnerabilities and that have stopped all the madness, I would recommend getting a mainframe if you don't already have one. (If you don't have one you probably aren't one of those two organizations.) Use your mainframe as your premier security hub to better protect your organization. We don't know everything yet — I'll keep reading the press reports with great interest — but what we do know from decades of experience to the present is that mainframes, well managed, have proven especially resistant to security threats. And, I write only half jokingly, we also know that the only organizations that might rival government intelligence agencies in their political power and influence are large financial institutions. All of them would presumably scream bloody murder if their core systems were exposed. Moreover, if you want open source software, you've got it on zEnterprise. Linux on zEnterprise is 100% open source software. There are no proprietary drivers or other closed source binaries required, unlike many other hardware platforms. z/OS has a large and growing collection of open source software available, too, and you can go grab whatever you like and quickly deploy it. (On z/TPF as well.) There's also the unparalleled statement of integrity for z/OS and for z/VM.
Stay vigilant, and stay safe.
|by Timothy Sipples||September 6, 2013 in Security |
TrackBack URL for this entry:
Listed below are links to weblogs that reference New Security Revelations: Governments Spying More than Expected: