The Broken Model of Access Control
This time, however, it is with the credit bureau, Experian, which offers data protection with it’s services. The data protection issue has reached a whole new level. You can read the statement from T-Mobile’s CEO here.
With all previous massive data breaches, like Target, Sony, Home Depot, and the IRS, the problem is due to weak access control and unprotected data behind firewalls. In simplest terms, once the hackers break-in, they can access ALL of the data. With the most recent data breach, even encrypted data was compromised.
While we don’t know the full details yet, it is likely that Experian stored the encryption keys within their data center, thus the hackers got access to the keys once they got in. The crypto logic is still secure, but if the key is stolen, the crypto logic is irrelevant.
The latest data breach, magnifies the problem that nothing is safe and we need to rethink the entire access control model.
If you follow the trend of all the massive data breaches, you can see the hackers are getting into bigger and bigger data repositories. From retail stores, to the government, now to the very place that stores credit information. The more concentrated the data, the more profitable a successful hack is.
Our focus should not be about building bigger and thicker walls. As we have seen with recent events, any individual with enough incentive and skill can get through the thickest of walls and get inside any system. The focus should be on making it less profitable for hackers to break into any given system. Instead of building the bigger data repositories, we should instead build a distributed system.
Another key is that we have to stop trusting everybody and anybody. Data belongs to the end-users. Period. No one should have access to the data unless authorized by the end-user. Our current system architecture follows the “trust all employees within a given organization and allow access to most customer data.” With this mindset, any weak password could potentially expose the entire data repository.
A perfect “Trust-No-One” architecture does exactly that, it doesn’t trust anyone because the data belongs to the end-user. There is no system access, no admin access, or no hidden backdoor. If an employee needs access to the end-user’s data in order to provide support, an explicit grant is required by the end-user themselves. Most often when you hear support staff say “can I look at your data?” they are merely saying this to satisfy legal liability, and already has access to your data set even before you grant permission.
Here are my four basic principles of data security:
- Trust-No-One. Data belongs to end-users. No exceptions.
- Distributed Repositories.
- No system-level access keys.
- All access-control must be crypto-based.
We are in the infancy of the data era. It’s like New York city in the 1880s, where local direct-current electricity power plants were popping up, unleashing the electricity era. In the decades that followed, the DC based power plants gave way to AC based power plants, expanding electricity all the way into the 21st centuries. Trust-No-One Data Architecture may be the AC of the data era.