It has been interesting to watch how the information security market has reacted to the leaks of information presented via the press by Edward Snowden, writes Robert Newby. The hardcore security community has tended to condemn his actions as childish and ill thought-out, colleagues at GCHQ either refuse to speak his name or spit (literally or metaphorically) when they do. Others with a more left-of-centre attitude revere him as a hero of the common man.

There are of course elements of truth in all of this, my take is that he acted illegally, but thought he was doing something for a greater cause. Perhaps if he had practised whistle-blowing via the correct routes he would have been silenced, and the government would never have had to act in defence, certainly we would never have had to react personally. Simply put, the more people he could get to see what was happening all at once, the more chance there was that something would be done about it without the truth being manipulated.

Of course IT security suppliers have had a field day with this. As an analyst I speak to suppliers on a weekly if not daily basis. Not a single one has failed to come out with their own take on how they could have stopped the “Edward Snowden problem”. For identity companies of course this makes some sense, proper identification and access control may have prevented access, but Snowden had legitimate access to much of his sources. Some of the more cutting-edge virtual systems also have great case studies, one in particular where the information cannot leave a specific environment without encryption would surely have slowed him down.

Man on a mission But that is the point. It would have slowed him down, not stopped him. Snowden was clearly a man on a mission. Technology had little to do with what he set out to achieve. Holes in security were exploited out of habit rather than malicious intent, the intent was there without the technology. That is to say, Snowden would have revealed what he did one way or another, the fact that it was made easy by lack of process, identification, access control, encryption and other controls is only half the story. This does mean it should not be raised to our attention, quite the opposite, but in context, not isolated point solutions. In fact it could be argued that isolated point solutions were much of the issue in the first place. Haven’t we seen this before? The approach to information security always seems to be, and have been, to follow the most recent or highest profile problem, and to fix it with technology. We are often so busy firefighting that we have no time to implement strategies. Projects have a better chance, where some strategy can be applied at a high level before implementation of the whole, but there are often unforeseen circumstances during execution which change the dynamic and put security on the back foot again. As more platforms, infrastructure and applications are moved offsite, this becomes more of an issue. Security cannot be fully outsourced, even when the rest of the operation is. The fact remains that a business needs to be able to deal with the internet in this day and age, to manage its involvement and interaction with it, at scale, and to react. And better still, to be proactive in the responses received from logs and alerts out in the wild.