May 20 2012
I just spent the last two weeks in Singapore, Kuala Lumpur, Sydney and the Gold Coast. It was arguably one of the best trips of my career, both from a work perspective and from a tourist perspective. Of course, I’ve never really been a one man traveling road show before, but it’s part of the role when your job title includes the word ‘evangelist’. I was more than a little humbled by some of the people I got to meet and excited by the chances I had to meet a lot of people who’d only been digital signatures up until this point. Nothing like finally putting a face to a name 8000 miles from home to make you realize how small the world really has become.
One of the more interesting conversations I found myself in was at the AusCERT Conference. The Chatham House Rule was invoked, so I can’t say exactly who was involved, which is pretty convenient since I couldn’t remember the names or affiliations of half the people who were in the room at the time in any case. A large number of the vendors at AusCERT got invited by representatives from the the Australian police forces to participate in open conversation and feedback. This wasn’t simply a pretense to make vendors feel good, the LEO’s (Law Enforcement Officer) were genuinely interested in hearing from people who worked in the business. The sad part is that after a break, only a few of the vendors came back for the second half of the conversation. Not that I had any problems speaking my mind either half of the conversation.
The question that took up most of the time was “Australia is going to put our healthcare information online, how do we keep it safe?” There were numerous suggestions, but the point that resonated with almost everyone was that the data was almost certainly already compromised and if it wasn’t, it would be soon. This led to a few incredulous stares and the statement, “90% of businesses already admit to being compromised, the other 10% just won’t admit it or don’t know yet.” Isn’t it uplifting when you get 20 or so vendors in a room and every one of them tells you you’re probably already compromised? Several of the comments from the LEO’s gave me the impression that they had exactly the same opinion, even if they couldn’t admit it in any forum that contained people without the proper security clearances.
This conversation left me wondering. How do we live in a world where we have to assume that if our data isn’t already compromised, it soon will be? How do we make the data useful to the people who rely on it while denying value to the people who would want to steal it? We know we can’t secure data forever, so can we give it a lifetime in some way and still continue to use it?
One of the solutions I thought about was encryption. We use it widely for the protection of credit cards, though perhaps not as widely as we really should. It’s great for keeping data in motion secure if we’re using short lived keys and well known algorithms. It’s relatively good for dealing with data at rest, at least as long as the keys are well maintained and everyone treats the data with due diligence. Which is seldom the case, since most evidence points to compromises taking place in ways that easily circumvent encryption technologies. The best encryption in the world doesn’t help much when legitimate user accounts are compromised.
We live in a world where our defenses don’t seem to be working and all data will be eventually compromised by someone. We’re at a stage where we can’t pretend our static defenses will protect us from much except the pickers of low hanging fruit on the Internet. Whether it’s a nation state actor, a chaotic actor or an out of work actor, someone wants our data; and they’re going to get it eventually, since we have so many holes in our protections. Which means we have to change our way of securing the data to make it useless to anyone outside it’s intended audience.
I’m not even sure what making information lose it’s value outside of it’s intended audience would look like. One idea is to make the information publicly available, which removes the value to an attacker, but that’s probably never going to be a viable option when dealing with healthcare information. Rumors of technologies that will make data self-destruct when it’s removed from it’s proper environment is appealing, but I have yet to talk to anyone who’s actually given any such solution a walk through. Hardware based solutions that rely upon encryption are slightly better than software, but then you have problems like vendor lock-in and longer life cycles for the technology, which really only help the vendor.
As usual, I don’t have an answer for this problem. But I know that our data is leaking from where it’s stored every day and the leak may soon become a deluge. Australia isn’t the only country that’s looking at putting their healthcare information online, and they need a solution that’s going to work as well for the big corporations as it does for the single doctor clinics in the Outback. Any technology that can’t be operated by a doctor who’s willing to live hundreds of miles from the closest IT guy isn’t going to work. And while the US might be a little different, I’m not sure we should look at the tech our doctors might use any differently.
If you have an answer to this problem, it might be the wave of the future.