All I want for Christmas...
Security wish list
Mark Rasch takes a step back and offers his holiday and New Year's wish list of all things security - items that should exist, be made available and be easy to use for everyone over the coming year.
It is traditional this time of year for people to make lists of what they want for the holidays. You know, a Nintendo Wii, a PS3, a Treo 700p... depending on whether you have been naughty or nice (I hope you all are taking notes). But for the information security-minded, I have developed my own personal wish list of technologies and applications which, as both a lawyer and an information security professional, I would like to see both developed and implemented in the coming year. Now I know that individual aspects of these technologies actually already exist - some of them for many many years. And I know that niche products may meet some or all of the goals I want to achieve here. I welcome comments about how a particular technology may meet the needs. What I want for Christmas (or Hanukkah, Kwanzaa, Eid, or whatever) is a solution that works seamlessly and with no user input. So here is my Christmas list:
1. Easy encryption
Lets face it, communications and files are not secure. What I want is to send an e-mail just the way I always do: look up an address (or click on a link, or retrieve a stored address) and have it sent in a way that cannot be intercepted, read or interfered with by anyone other than the intended recipient. Oh, and authentication of both the sender and receiver would be nice as well, so I can block spam more easily, and so the recipient can know the mail came from me. I want this done with little or no overhead costs, and no user input. I just want to send secure e-mail.
The files on my computer also should be encrypted seamlessly and effortlessly. In other words, when (note I say when, and not if) I lose my laptop computer, I want to know that the only thing they got that was useful was the hardware itself no data, and I mean absolutely no data should be compromised. Imagine if the Veterans Administration had something like that. Yeah, I know RSA and PGP have programs that do this, and that Vista will do the same thing, but I want it to be idiot-proof, or at least idiot resistant. I want the stuff scrambled without my input. So much for data breach notifications.
On the other hand, as an administrator, manager or compliance officer, I want to be able to monitor everything going on inside the company. I want free range (with appropriate auditing) to look at any files within the company I need to see. Nobody said this was going to be easy or even possible. Remember, as Ralph Waldo Emerson said, a foolish consistency is the hobgoblin of little minds.
2. Know what you know...search for the rest
I can conduct a Google search of a few billion web pages in about 3.2 seconds, including the use of boolean searches, key word searches, and other kinds of searches to find relevant information. But, as a lawyer and litigator, if I get a document request in discovery for all documents relating to the Jones contract, it takes months to sort through all the files in the company and index them to find the right documents. In fact, most companies see the process of inventorying, collating and examining documents as a necessary evil in preparation for or in response to litigation or threats of litigation.
What this means as a practical matter is that the company is spending money and resources to help out the person suing them to learn what happened in a particular transaction or series of transactions. This is silly. What a company should be able to do is to conduct a search of all documents oh, and I mean all documents (documents, spreadsheets, e-mails, instant messages, chat sessions) within the company (on every desktop, laptop, and server anywhere in the world) no matter how it is maintained (or stored on i Pod, thumb drive, and so on) It should be able to find these documents long before and irrespective of any litigation.
The law presumes that a collective entity known as a company, a partnership, or a government agency knows everything that any part of that entity knows. So if Employee X in Chicago knows one thing, and Employee Y in Santiago Chile knows something else, then the Company knows both things. We all know that this presumption is absurd. The problem is, as a decision maker, you should have the ability to at least find the information that is collected within the IT systems of the company as easily as you could find a decent pair of tennis shoes. Moreover, you shouldn't wait for a lawsuit to do this. It is important to know what you know as you are making decisions, not afterwards.
Of course, this would require not only indexing and searching every bit of digital information within the enterprise, but also deciding in advance who would have the authority to search for these files, and for what purposes. Oh, and remember where I said above that everything in the company would be encrypted? Again, consistency is not essential here, we are talking Santa Claus today. This is a wish list. If Santa can fit down the chimney of my gas powered fireplace, surely he can do this.