Years ago, I was standing on a ridge in rural Washington looking at the expanse of the middle of nowhere when my phone rang. My brother-in-law and I would talk geek off and on, but it was odd for him to call me randomly. So, I took the call and in the incongruous setting of rocky hills and wild horses, we got into a deep-dive about data security.
He was incensed that the website Ashley Madision had been hacked.
Now, when your brother-in-law is upset that a website that promotes infidelity has been hacked, you kind of wonder... only Eric was the nicest guy on the planet, high-school sweethearts with my sister, never looked at another woman. No, he felt the [insert expletive] adulterers deserved whatever happened to them. His anger was at the engineers who said this could never happen and had broken a different covenant, the vow that your data will be safe.
He wanted a better solution to privacy and he described what I’ve been preaching ever since: record level encryption tied to an individuals identity. No single person should have access to all data, every record should have two keys, the application key, and the individual key. You can duplicate, share, and in other ways grant access to that data, but the default should never be an admin key that can see EVERYTHING.
As hack after hack, data breach after data breach, extortion after extortion happens I keep wondering... why is this happening? Why is all that data just sitting out there on servers waiting to be scooped up with a single key?
There are two reasons, one is tech debt, but we know how to tackle tech debt. The underlying reason is, we want access to that data.
The dark joke is that we are the product, that when something is free, it really isn't. If we really did lock down all the data, then the entire industry would grind to a halt. Data mining is huge business, and, as someone fascinated by watching graphs change as new input arrives in real time, watching the matrix in its raw form (i.e. just browsing data) sparks new ideas and new innovations.
So as with everything, there needs to be a balance. With GDPR, CCPA and NYDFS we don't have to scratch our heads for long to figure out what needs to be locked down tight with only the individual having access.
But we can do better. We should be looking at the kind of data we need for our businesses, the kind of data we honestly don't need (the hours lost examining irrelevant log data must be a noticeable hit on the GDP) and then, under reflection of business goals and engineering needs, look at, and understand, the rest.
But the basic policy should be, if you don't have a policy, lock it. Until we move from the default position of "it doesn't matter until it's been breached" we'e going to keep having these fire drills, lose credibility and lose money.
So lock it down. Even if you want to look, you probably shouldn't. Do better, keep your vows.