Facebook, like any other major corporation or public institution, will agree that information and data security is paramount. Yet, their vulnerability to insider threats remains a blind spot - there’s an almost implicit assumption that Facebook could have done nothing to prevent this from happening.
This just isn’t true. There are good and bad ways to deal with the problem of who has access to what information, when and what they can do with it.
Surprisingly, the worst way Facebook could protect itself from insider threats would be to model information sharing methods used by government security organisations and contractors. Here, it is common to see ‘air-gaps’ mandated between each level of information.
Air-gap networks are physically and logically isolated from other networks so communication between these networks is not physically or logically possible. In practice, this means ‘Top Secret’ data is only accessed on a completely different network to one that contains ‘public’ information, and so on for every security level between these two points.
What this leads to is ‘swivel chair’ security - quite literally someone sitting at one PC, copying the information they need, then swivelling their chair over to another other PC which can access the other database, and copying that information too.
Most IT teams would see the horrendous inefficiencies at play here. Manually copying information over each time, you need it is practically inviting errors to be made and data loss to occur, plus takes a long time to do. It also means you need multiple different desktops/computers, complete with air-gapped infrastructure behind them, firewalls and so on. This air-gapped network-driven philosophy creates huge costs and focuses on protecting these networks, rather than protecting the data stored within them.
Even with a practically unlimited tech or security budget, if you proposed this to any enterprise, I’m willing to bet the time and resource cost would be the toughest sell. So why do we tolerate it in the public domain? Time is perhaps more valuable to the Department of Defence than it is to Facebook, even if it’s hard to put a dollar value on.
We need a better, middle ground, and fortunately one already exists. Multi-level Security, or MLS, is a really simple concept. An MLS capability (system, platform, or environment) allows information at different classifications to be stored and accessed within a single security domain, while enforcing different access policies and compartments dynamically depending on the context, with the assurance that the separation is effective.
Think of it as a giant repository of data in the cloud you can access at any time, but only if you have the right credentials. If you have ‘secret’, you won’t see as much as ‘top secret’ etc.
If you combine this with technologies like Attribute-based Access Control (ABAC), MLS becomes even more effective. When utilizing ABAC as the dynamic policy enforcement method you can control provide granular access control at the most appropriate context.
Even if it is insisted that the highest echelons of the repository remain air-gapped, there is a lot of information that falls below it. Information that quickly loses its value if it is not shared on time with the right agencies around the world.
Had Haugen worked for the US National Security Agency, she’d be the next Edward Snowden. If Facebook has ABAC and MLS technology, Frances would have faced a far more formidable challenge, whilst the organisation itself would not have suffered the inefficiencies of current standard information security practices.