A data security guy’s musings on the OPM data breach train wreck

Get a copy of the upcoming book "Secure Operations Technology"

Despite all the media attention to breaches, there is still way too much apathy when it comes to data-centric security. Given the sensitive data the OPM was tasked with protecting, it should have had state-of-the-art data protection, but instead it has become the poster child for IT security neglect. While it’s dismal security posture is unjustifiable, the people and process challenges that hindered the implementation of appropriate security measures are pervasive.

Case in point: With eight years of failed audits and formal warnings, the OPM’s cyber security deficits were well known. Former OPM Director Katherine Archuleta’s point that “the whole government is to blame,” while certainly is no excuse, does have some merit. The Inspector General’s office, for one, issued multiple reports and warnings, apparently for years in a row, yet took no action. What good is having oversight and governance if the overseers can’t or wont ensure accountability? It is way too easy to point fingers after the damage is done, but if the OPM was underperforming on security, why didn’t the IG’s office intervene?

It’s no secret that government agencies have (particularly) aging infrastructure, which can be both a blessing (harder and less incentivizing to exploit) and a curse (The OPM’s systems were too old for encryption?). The forklift upgrades that might be required to modernize appropriately not only significantly raise the cost of security; they require buy-in from numerous stakeholders (further slowing things down) and are massive efforts in and of themselves.

And then there is the issue of making sure proper security is in place when working with business partners, especially those with access to highly sensitive data. Secure collaboration with trusted business partners is a reasonable business requirement, but not without the proper controls in place. The OPM knew one of its main contractors was hacked (unsurprisingly the same company was where the valid credentials used to gain access came from), yet no action was taken.

With all the recent breaches, it is clear (at least to me) that at some point, the buck stopped with someone who felt the weaknesses in their systems were either an acceptable risk, or, that the required risk reduction effort was not worth the cost. Plus, when it comes to data centric security, perception issues inhibit adoption. I evangelize data centric security every day and unbelievably, despite the fact that encryption could have minimized the impact of the Anthem, Premera and OPM breaches, the current zeitgeist towards any sort of data-centric protection strategy remains tentative, in both the public and private sectors.

A recent Ponemon Institute study revealed that the cost of data breaches due to malicious or criminal attacks has increased in the past year from an average of $159 to $174 per record. Whether the OPM hack revealed fourteen million records or “only” four million, it’s plain to see that applying preemptive security measures would have cost a fraction of the estimated operational damage, and these costs do not include reputational damage, which for the OPM, was extreme.

I know how self-serving it looks for a data security vendor to be calling for mass adoption of data-centric security controls. Discount the messenger, but please don’t discount the message. Despite a (breach-driven) wellspring of interest in data centric security, the biggest barrier to adoption remains the lingering belief that data centric security is either too hard to do or can’t be done at all. Such were the claims of the OPM, yet on June 25, it issued a report announcing it will “review and plan to encrypt all databases that are on modern technology platforms and can accept encryption by July 15.”

Clearly, public humiliation is an effective motivator.

The bottom line is that it is possible to not just deploy data protection, but to manage, update, and document access rights, at scale. I’m not saying it’s a plug and play endeavor, but it is absolutely possible. And it is certainly cheaper to invest preemptively in data-centric security than it is to take your chances and wait for a breach to occur, only to spend exponentially more in breach cleanup and minimizing the ensuing PR disaster. Not to mention, it is money much better spent.

If we give credence to any explanations or justifications arguing otherwise, then we are part of the problem. Unless we ensure the enterprises we entrust our personal data to protect it accordingly and hold them accountable for security failures, we are complicit in allowing the never-ending parade of mega breaches to continue.