On Deleting and Expiring Secrets on Jun 19, 2015
Did you ever keep a journal/diary as a kid? Did you ever intentionally destroy that journal to protect those secrets from getting into the hands of prying eyes (siblings in my case, or parents potentially)?
I’ve been thinking a lot about secrets recently. With the breach du jour, it seems like private secrets, be they celebrity selfies posted to iCloud, or corporate secrets, such as Sony executives discussing casting ideas, secrets seem to be getting harder and harder to keep. Secrets in the context of Big Data multiplies these risks by 100s or 1000s or millions. The leak at JPMorgan, for instance, occasionally attributed to a Big Data breach (could be our first?) instantaneously created exposure to over 76M account holders.
What I’m really surprised about is how few organizations delete secrets. For the most part, all collected data seems to live on forever, in all it’s dark and deep glory, without any common expiry or redaction methodology. If breaches continue to mount and change and expand, I wonder if there will be more pressure on technology firms and businesses alike to invest data expiry technology.
What might this redaction or expiry paradigm look like? How about a continuous, process of managing data retention from the get-go, from source creation of data. That retention program would ask of the data… Do we (really) need this data? Do we need this data in its original format or would a pseudonym (aka masked) format suffice? And perhaps most efficiently, what’s this data’s expiry?
In closing, we have such a system already that could serve as a quasi-model. Our modern food industry has trained us to ask and know these questions for our food. I guess you could argue that ALL food goes bad, so forcing it’s expiration is not identical to data. But from a security versus business benefit, perhaps we are approaching a time when all data goes bad (risks outweigh all benefits of retention.) (Albeit now there is a small backlash that we may be throwing out too much, too soon in food expiry: http://io9.com/the-surprisingly-inexact-science-of-food-expiration-dat-1629542744)
For the record, I kept three diaries when I was a kid (and no, I didn’t have Hello Kitty design or beautiful script handwriting), but only 1 of those survived into my adult hood. I specifically, intentionally remember destroying the other two. I bet if I read the last one, it will be more risky that it’s worth.