31 Jul The Importance of Sticking to Your (Information) Security Policies and Procedures When Outsourcing
The recent classified data breach in Sweden is destabilizing the government. The story that has gradually been breaking out this summer is quite astonishing. At the time of the writing of this blog the Swedish government is regrouping after the political storm that hit them. 2 ministers had to resign as a result.
Apparently it all started with the Swedish Transport Agency and when they moved data to the cloud. Moving data to the cloud in itself was not the problem. The problems was that the authorities didn’t adhere to the security policies, despite advice / warnings from the Swedish Security Service, requiring security clearances for the people managing the data, potentially giving access to very sensitive information to foreign users.
There’s (at this point) no evidence that the information transferred to the cloud has been accessed by unauthorized people or a foreign government. You can check from the links the data that was put in jeopardy – it’s quite sensitive.
Cloud is not the bad guy here
The problem here is definitely not the technology itself. Cloud services can be as secure or even more secure than on-premise services / servers. The blunder is all about processes and governance. When you outsource processes, data or technology you must ensure that proper security policies (defined by you) are in place and that they are followed.
This case also highlights (IMHO) the importance of understanding technology. When making decisions you should grasp the basic underlying technology, or listen to advice from those who know better. Too often we see technology to put in use in places and in a manner that exposes (unforeseen) problems. The constant stream of vulnerabilities in connected devices (IoT) is a prime example of this. When you add connectivity to a fairly simple device without any consideration for security – you are welcoming trouble.
Would CIAM have helped the Swedish Transport Agency?
Just as a thought exercise… Let’s go through this case and see if things could’ve been avoided with technology (with major simplifications).
When outsourcing the data to the cloud, Swedish Transport Agency could have
- Mandated a request procedure for users wishing to access the information
- The request would have been moved forward if the user had demonstrability gone through a security clearance process
- The solution would have been connected to a database listing people with proper security clearances
- The user identity was verified at a high level of assurance (IAL = 3)
- The user had authenticated himself properly with multi-factor authentication (AAL=3)
- If someone would have verified that this user has a legitimate interest to access the data
… and for internal employees they probably have a procedure in place, I hope. And CIAM is the technology that helps organisations deploy processes like this and protect their information – allow only properly vetted and authenticated external users access to data. It naturally goes out the window if the director says that it’s not needed / required.
An interesting question: What would’ve happened if this came to light 1 year from now with GDPR in full effect?
Data you own and are responsible of needs protection. CIAM is one of the tools at your disposal to safeguard it. Contact Ubisecure now if you need to bolster your security.