If you’re in the IT security business, then the only thing that could possibly be at the top of your mind right now is Apple vs. the FBI. Whether you look at it from a high level or in the technical details, the issues involved are complex and the implications are far reaching. Ultimately it all boils down to a simple question: Who can you trust?
Those that side with the government clearly feel they can trust the government. Many question if they understand what they are trusting the government with in this case. If the government is given the right to ask private technology firms to create software to do bad things at will, what will they use it for next? As a background to this particular fight, the government is essentially asking the security community to put in true back doors for all encryption. What does it mean to give the FBI a perfect case where they can say it would have been so much simpler if they had been trusted with the big, magic key to unlock the iPhone in the first place?
Those that trust Apple are also in store for some hard questions. What does it mean for a company to simply say “No” when asked to assist in a criminal investigation? In all the communications that we hear from Apple, we do not hear them saying they cannot meet the demands. While this may not come as a huge surprise to security experts, it’s likely a big surprise to many others – even many technologists who have bought into Apple’s position on security. Will the revelation that the security of the iPhone can be undone at Apple’s directive hurt the technology giant in the long run?
When’s The Last Time You Read Your Terms of Service?
If you’ve been surprised by some of what’s surfaced during the Apple vs. the FBI discussion, then it may be time to get your lawyers in for a very big contract review. Apple is not the only vendor that can break your security if they choose, and the FBI isn’t only going to be interested in this one case in the long run. If you are using mobile – or cloud – services in your organization, do you know what the terms are around 3rd party and government requests for access to data? Who are you trusting with your data right now and how easy would it be for them to take advantage of that trust?
When you read security guides for moving to cloud and mobile, they start with basic ideas like making sure you control the encryption keys, and making sure you have the administrative accounts locked down tight within your control. Like so much good security advice, though; these simple things are often ignored. With mobile you often have no choice.
The iPhone will always be Apple’s to exploit if they wish to because of the nature of mobile today. Unless you want to write your own mobile platform from scratch, you will be at the mercy of Apple, Google, Microsoft, and others. With cloud you have a bit more control. You can use strong encryption and credential protection to keep the control of your data in your hands. However, it’s something that needs to be thought about up front and designed into the plans. Often people end up trusting their provider with too much access simply because they don’t have the time or energy to invest in planning up front.
The Only Smart Trust Is No Trust
In the end, the best thing you can do is act very paranoid in the beginning so you can relax a bit in the long run. Design systems so that there is almost no trust at all. Encrypt everything you can, keep the keys locked up as securely as you can, and make sure that no one can touch them with gated administrative authority. Strip all the humans you can find of any privileges they don’t need to have, and lock all of that up as well. Make everyone go through an approval driven process to get the authority when needed.
Often an objection we hear to these “no trust” models is that the reason organizations hire people, in part, is that they’re trustworthy. What Apple vs. the FBI shows us is that it’s not all about the individual people. Who you trust may not be up to you or your staff. There may be parts of your systems that suddenly become the focal point of an attack or legal pursuit. Will that person you trusted be willing to go to jail rather than reveal the admin credentials they know off the top of their head? Unless you have one hell of an employee loyalty program, the answer is likely no. What would that mean for your organization in the long run? If your data is only one pin code away from the wrong hands, who do you trust to protect it? Who did you trust to put it at that level of risk to begin with?