Enterprise computing in the post-Snowden era

Enterprise computing in the post-Snowden era

Summary: Edward Snowden didn't just disclose embarrassing details about the NSA. He also exposed weaknesses in enterprise security. How much will things really change?

TOPICS: Security

It seems implausible that nothing will change in the NSA as a result of Edward Snowden's leaks of their practices. But those practices didn't affect just the government. In light of all that has happened you have to reexamine how your own business operates.

John Dickson, a Principal at Denim Group, a security consulting and services company, has proposed six reasons why the Snowden leaks are your problem as well as the NSA's. I'm more struck by some than others, and I have some to add.

Companies will be more wary to cooperate with governments — Oh yeah, big-time. If the government came to you and asked for you to do something to undermine customers you might well have said now anyway, but now your confidence in the government keeping it a secret can't be what it was before. And as Dickson says, it's not just the US government; anyone who thinks the average European government is more trustworthy is fooling themselves.

Tighter cooperation between security, privacy and corporate counsel will occur — This makes sense superficially, but I'm less certain than Dickson that it will bring about significant actual change.

Companies will review and update their public privacy statements — I agree with Dickson that many in the public believe mistakenly that companies are cooperating voluntarily, even enthusiastically, with the government to compromise their own products. But it's not clear to me that a change in the privacy statement will make a difference to anyone in the public; it's just about satisfying corporate counsel's sense of the company's exposure.

CEOs will question why companies keep certain sensitive customer data at all — This is a good prediction and a good question for executives to ask, but the reason has more to do with data breaches generally and not with the NSA.

Legislation to cooperate with the US Federal Government on Information Sharing is likely dead — It's as dead as J Edgar Hoover. The government will have to make do with what mechanisms they have now.

International clients will ask American IT companies tougher questions — Yes, of course this is true, but what answers can they really expect? And why would they believe that non-US products and services are more trustworthy? In the end, I think the market impact of this will be small, limited to symbolic anecdotes, mostly in the purchases of other governments.

But why stop at international clients? I'm sure US customers will be asking US IT companies more about the security of their products and services, although they too can't reasonably expect informative answers.

Another potential outcome Dickson doesn't address is the vulnerability of your own employees. If Edward Snowden can get through the NSA's contractor process, what kind of traitorous scoundrels work in your own IT department? You need to think about who you trust with the company jewels and perhaps to narrow that circle of trust to a few people who you can scrutinize more thoroughly.

Another prediction worth making is that this is all good for the business of security consulting and penetration testing. If you assume that the government has bugged us all, you probably have to look for the bugs more often and more assertively. Of course, you have to assume that your consultants and pen-testers aren't really working for you-know-who...

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • How rigorous are the screenings anyway?

    Back in the old days when contractors were AFRAID TO LOSE government contracts, they had to be stricter about employee background checks (one French-owned company in the 1970s had to spin off a US subsidiary in order even to GET contracts requiring security). Now they all have a Congresscritter or two in their pockets to get around that pesky "over-reguation."

    Snowden may have been an exception, or he may have been the rule, but good IMPARTIAL government would require that this work ONLY be done by properly screened civil service employees in GOVERNMENT offices, not only to protect national security, but to avoid the use of their authority to gain unfair advantages in BUSINESS competition.

    Security screenings for employment in private corporations to protect their OWN assets can be as strict as they feel necessary and are willing to pay for, provided they can get ENOUGH candidates through to stay in business. During a recession, of course, that will be easy; when prosperous times come, it may be a bit harder.
  • An obvious result will be

    the renewed interest and use of strong encryption by private parties. You can't trust anyone anymore.
  • That's pretty much it

    I still don't know if Snowden was right to steal and leak all those docs, but he has forced discussion of a lot of issues that needed it.
    John L. Ries
  • ...traitorous scoundrels...

    I assume by this phrase the author intends to address malicious intent. Clearly, Mr. Snowden showed great intent-- the malicious part is not proven yet, however. I make that distinction because, whether you believe all the details or not, ES clearly thought his EMPLOYER was malicious, and intended to subvert the foundation of the government it supposedly protected. Applied to business, this means that intelligent employees who suspect malice at the C-level must be included in the mix, and that group could be much larger than "scoundrel" implies. It could include whistle-blowers who are willing to put their careers (their family's lives) on the line because the corporation they work for is acting evilly. Few of them are (or will be) as successful and daring as ES, but one must assume there are more than a few of them out there.

    As always, the most valuable asset and the great risk of any business is/are it's employees. In the NSA's case, they apparently forgot that. The corporations who forget that may produce "traitors" who consider that the corporation itself has betrayed it's employees and/or customers, and then act accordingly...