Last week I had a lively discussion with an education expert talking about privacy and security. This resulted after interpretations of FERPA resulted in universities selling student directories / email addresses to spammers third party marketing organizations. (just because they can, doesn't mean they should).
Then we moved on to the topic of security. I always start with the assumption that all systems will be compromised, either externally or internally. That is reality. But it can be managed. Starting with that premise, how do you design or improve your system?
First you need to compartmentalize your system to the smallest discrete pieces. So if one compartment is compromised, none of the others will be. Cloud systems tend to be monolithic silos. Break into one part and everything else is exposed. At my last company we built a separate virtual instance for each customer. That way if one customer was compromised, it had zero effect on anyone else.
We also segregated the data (we were dealing with patient health records). But we needed subsets of that data aggregated to do analytics. Pulling the data is very bad, because that creates a single point of weakness. Instead, each instance pushed the summary data to the aggregation database.
Next you need audit. Record everything. And make sure that the system administration role is completely seperate from the auditing role.
Finally you need remediation. What are the protocols to observe when any part of the system is compromised?
- Isolate it
- Fix it
- Notify those effected
- Identify the root cause
- Change to eliminate the root cause
This goes beyond system design into understanding how your customer / users need to interact with the system. Do all new users really need to default to administrator role?
It is our job to take security and privacy seriously and engage our users to make sure they have what they need without making their lives more difficult (give me two-factor authentication to my cell phone over complicated passwords any day).