Taking Heed to NSA's Assumption on Security Breaches Is Sound First Step
News Analysis: Real security depends on a belief that somebody, somewhere, will get into your network. The real question is, what do you do about it?When Deborah Plunkett, the head of the National Security Agency's Information Assurance Directorate, said at a security conference that systems must be built with the assumption that adversaries will get in, her statement wasn't exactly a revelation. True security is multilayered, and it's designed from the top down to assume that there will be breaches. The goal is to minimize those breaches and to figure out who is doing them and where they're coming from. A failure to compartmentalize highly sensitive information led directly to the current WikiLeaks scandal that has embarrassed the U.S. State Department and the U.S. Army. PFC Bradley Manning was able to gain access to the sensitive State Department messages because the entire secure messaging system was open to anyone who could gain physical access to the secure network. No attempt was made to limit access by individuals to what they actually needed to do their jobs. It was just an open bucket of secrets waiting to be harvested.
Now, I'm pretty sure that the NSA doesn't have any Bradley Mannings around waiting to copy some more secrets onto their Lady Gaga CD. But the point that Ms. Plunkett was making is that you have to be prepared for the eventuality that there could be someone that has been given access to a secure system that should not have such access.