Last December, Microsoft published an article on its official blog detailing steps the company planned to take to protect its customers’ data from government snooping. Written by Brad Smith, general counsel and executive vice president for Microsoft Legal & Corporate Affairs, the article promised additional encryption of data in transit and at rest, reinforced legal protections such as challenging government gag orders, and making the company’s own code more transparent to guard against backdoors.
Smith’s post was in response to the controversy surrounding NSA surveillance and Microsoft’s reported cooperation with government efforts to collect user data. The story of government spying has been a hot-button topic with IT pros since it surfaced with the Edward Snowden revelations in May and June of last year. Microsoft’s current efforts are certainly welcome news, particularly for businesses that run primarily Microsoft products. However, there’s plenty of sentiment that this gesture is too little, too late.
Personally, I think Microsoft is taking a good step. But as an IT pro, you can’t rely on your software providers to establish network security and data protection. It’s your responsibility to ensure appropriate safeguards are in place so that your users and your customers can trust that their information is secure in your keeping. Regular and consistent network auditing should be a cornerstone of your internal protections.
Part of thorough security auditing is monitoring access control changes. Although you might not detect the most nefarious backdoor exploits, it’s nonetheless important to keep an eye on who has access to what data, where that data is going, and how it’s changed. And as Nick Cavalancia points out in “Can NSA Spot the ‘Adversary’?” you also need to be sure you can tell if and when your security policies themselves have been changed. Without such protection, an unauthorized user could simply turn off protections in order to perform unwanted actions with no network visibility.
For a generation that grew up watching The X-Files, no government conspiracy seems too far-fetched, and this year’s revelations of institutionalized spying through Internet data only goes to support such notions. It would be nice to think that public outcry would change government policies. In the meantime, make sure you’re taking appropriate steps with your own network security so that you don’t make unlawful spying any easier than it should be.