Cybersecurity Truth: Access to Your Data is Limited, Not Controlled

We use the cloud all the time. Right now, you are reading this post in the cloud and you arrived at this post from another cloud. None of the devices in either of those clouds belong you you or me and neither of us control access to those devices. There have been documented cases where ride sharing and picture chatting cloud service provider personnel have stalked users through their cloud data. Where is the cybersecurity? Police (and others) covertly intercept and record your phone calls, text messages, and other unencrypted communications, enterprise 3rd party providers use apps, contractors, and cloud service providers, many of which you have no knowledge. Employees use corporate data on personal devices with unknown apps and cloud providers. Attackers, data brokers, and competitors scrape data from public sources to amass inferred secrets. So, no matter how mature your user access policies, data management policies, and information governance programs may be you don’t control access to your data, you just limit it. There has to be a better way. In my opinion something similar in form to BEP (see my technical conceptual documents) might be one way to proceed. It is one way amongst a few that help you to begin to regain control of your data but for now, use the most restrictive limits for accessing, processing, storing, and transmitting your data because you really don’t know who is accessing it. Least privilege and non repudiation my friends, we need more of those.