To say that the Edward Snowden leaks raise a lot of issues would be the understatement of the year.
Despite some of the hardened conclusions being drawn around the Internet and in the media, it is important to remember that the leaked documents are incomplete, at times vague, and interpreted through the lens of Snowden himself and the political journalists he has allied with. None of which automatically discredits them, but does leave us still with a fairly fuzzy picture of what Internet surveillance reality actually looks like.
Most of the coverage about the leaks has focused on the implications for individual privacy. But business needs privacy too, and everyone uses the same Internet. Since we really don't know precisely which interpretations of the leaks are exactly true, we can at least consider how the interpretations of the leaks inform enterprise data security.
One of the leaks shines a light on US government metadata collection of email communications. This is actually one of the more specific leaks, and has apparently been acknowledged by US officials, although they say it no longer continues. Still, it is not unreasonable to prepare for the possibility that metadata collection could begin again. The metadata collected by the government is said to include raw email envelopes -- meaning not only "From" and "To" fields, but even BCC data, which is ultimately stripped from messages downstream before reaching the recipient. Although the actual message bodies are supposedly not collected, it has already been demonstrated that a lot can be gleaned from metadata alone.
While the government stands by its claim that metadata collection is intended to target communications with overseas parties based on the origin and destination of messages, businesses routinely engage overseas parties. By this logic, it suggests that a significant amount of business communication metadata can be collected under this "foreign parties" rationale.
Email encryption can be an effective way to foil surveillance of communication content, but it does nothing to stop metadata collection. So what is an enterprise to do if they want to stay out of government fishing nets? The best option would be to deploy a self-hosted messaging system. Yet, the enterprise seems to be moving away from this direction toward cloud-hosted email.
Protecting user privacy
Many businesses necessarily accumulate data on customers. And if you're any kind of service business you may even be hosting customers' data itself, be it communications or media. With all of the concern stoked by the leaks about Prism, customers may now have heightened awareness and demands regarding protection of their own privacy. The government has powers to compel businesses to reveal data in certain circumstances (although precisely which circumstances, and how broadly, is very much part of the debate and not well illuminated by the Snowden leaks). This can put many an enterprise in a difficult position, between the potential demands of both government and private individuals.
It is impossible to eliminate this conflict, but just how exposed a company is can be mitigated. Data retention policies can be key to minimizing a business' surface area to privacy threats. Most network activity naturally generates an abundance of information which, in an era of cheap storage, is easy to archive and shove into a cybercorner forever. A better choice would be to audit what kind of data your business collects and the absolutely maximum amount of time it needs to be retained. Likewise, data that is not necessary to collect probably shouldn't be kept. The goal here is to be able to ensure customers that their privacy is being maximally maintained, while being unable to be forced to turn over to authorities data that simply doesn't exist.
Leak control isn't just for diapers anymore. Preventing employees or contractors from leaking information your company needs to protect is vital. We still don't know exactly how deep Snowden penetrated into national security database versus how much he skimmed off the top. Still, that he could apparently walk out with a thumb drive full of officially classified documents (regardless of what they do or do not actually reveal) should be a wake-up call to every enterprise.
It may be impossible to stop a highly motivated leaker with deep access credentials, but business can still apply the principles of a digital firewall -- define access credentials as restrictively as necessary -- to defend against casual or even accidentals leaks.
And, if at all possible, make sure you aren't hiding anything a whistleblower might feel like revealing. It is one thing to have legitimate corporate secrets, but lies are far more likely when you provide motivation. There are likely more implications as we determine exactly what was true out of the information Snowden leaked, but even if a fraction of what has emerged is true, these are great places to start.