Lead Machine Pink 160x1200

Lead Machine Pink 160x1200

iTWire TV 705x108

Wednesday, 30 March 2022 10:12

Facebook’s whistleblower is a case study in information security

By Daniel Lai
Daniel Lai, CEO of archTIS Daniel Lai, CEO of archTIS

GUEST OPINION: Frances Haugen is the Facebook employee-turned-whistleblower who has focused the world’s attention on the social harm algorithms can cause. Whether you agree with her cause or not, in the world of information security in which we reside, she’s also a case study of what should not be possible

Facebook, like any other major corporation or public institution, will agree that information and data security is paramount. Yet, their vulnerability to insider threats remains a blind spot - there’s an almost implicit assumption that Facebook could have done nothing to prevent this from happening. 

This just isn’t true. There are good and bad ways to deal with the problem of who has access to what information, when and what they can do with it.  

Surprisingly, the worst way Facebook could protect itself from insider threats would be to model information sharing methods used by government security organisations and contractors. Here, it is common to see ‘air-gaps’ mandated between each level of information.  

Air-gap networks are physically and logically isolated from other networks so communication between these networks is not physically or logically possible. In practice, this means ‘Top Secret’ data is only accessed on a completely different network to one that contains ‘public’ information, and so on for every security level between these two points. 

What this leads to is ‘swivel chair’ security - quite literally someone sitting at one PC, copying the information they need, then swivelling their chair over to another other PC which can access the other database, and copying that information too.  

Most IT teams would see the horrendous inefficiencies at play here. Manually copying information over each time, you need it is practically inviting errors to be made and data loss to occur, plus takes a long time to do. It also means you need multiple different desktops/computers, complete with air-gapped infrastructure behind them, firewalls and so on. This air-gapped network-driven philosophy creates huge costs and focuses on protecting these networks, rather than protecting the data stored within them. 

Even with a practically unlimited tech or security budget, if you proposed this to any enterprise, I’m willing to bet the time and resource cost would be the toughest sell. So why do we tolerate it in the public domain? Time is perhaps more valuable to the Department of Defence than it is to Facebook, even if it’s hard to put a dollar value on. 

We need a better, middle ground, and fortunately one already exists. Multi-level Security, or MLS, is a really simple concept. An MLS capability (system, platform, or environment) allows information at different classifications to be stored and accessed within a single security domain, while enforcing different access policies and compartments dynamically depending on the context, with the assurance that the separation is effective.  

Think of it as a giant repository of data in the cloud you can access at any time, but only if you have the right credentials. If you have ‘secret’, you won’t see as much as ‘top secret’ etc. 

If you combine this with technologies like Attribute-based Access Control (ABAC), MLS becomes even more effective. When utilizing ABAC as the dynamic policy enforcement method you can control provide granular access control at the most appropriate context.  

Even if it is insisted that the highest echelons of the repository remain air-gapped, there is a lot of information that falls below it. Information that quickly loses its value if it is not shared on time with the right agencies around the world.  

Had Haugen worked for the US National Security Agency, she’d be the next Edward Snowden.  If Facebook has ABAC and MLS technology, Frances would have faced a far more formidable challenge, whilst the organisation itself would not have suffered the inefficiencies of current standard information security practices.  

Read 1034 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News