Sunday, 4 July 2010
Does it really have a silver lining?
The first thing about cloud computing is the connectivity, the host of the cloud may have enough network bandwidth, but do you? A local area network typically runs at 100 – 1000mbps whereas a connection to the cloud is limited to your internet connection speed, typically the slowest part of your network.
The second thing to consider is where is your data residing? How much security does it have? As the owner of the data you are the data controller but you are outsourcing the security of your data. Regulation states where sensitive can be stored so if it is in the cloud, how can you be sure where it is?
The third thing to consider is do you want to get tied to the service. It is quite difficult to decouple services once they are in use, try to move your email, in bulk, when it is hosted in the cloud and realise how hard it is so you effectively are tied to the provider.
The fourth reason is it is expensive if you use it in anger. Great for start-ups or provisioning temporary storage but not good for long term use but difficult to break free from.
So does cloud computing have a silver lining? Only sometimes!
Tuesday, 8 June 2010
Call me a cynic
Yes they had an issue with security in China involving Windows but I just wonder how many other security issues they have also encountered with Mac and Linux? Probably a few but not so willing to shout about them because neither is running a rival search engine. Hence my cynicism!
I think Microsoft gets a bad press here. Lets look at the stats. Being generous to Mac and Linux lets say Microsoft is installed on 80% of all desktops. The other 20% being spread amongst the rest. Now let's flip this to a similar scenario. Lets say there is a bank out there. It has 80% of all branches out there and there are several smaller banks making up the rest. Out of all the banks which one do you think would suffer from the most robberies? The one with the most branches obviously.
Now flip back to computers. Why are Microsoft computers attacked the most? Because they have the largest footprint to target and it causes the most impact and generates the most press, not because it is the least secure but because it is the most popular.
So is this a genuine security concern or just a marketing ploy, my mind says the latter.
Monday, 31 May 2010
When marketing fails to deliver
Lately I have been battling with Blackberry encryption. In the past this was a straight forward setup with their old version of BES Professional so I thought I would try out the new version BES Express. According to the marketing blurb on RIM’s website it leads you to believe their new freeby product Blackberry Enterprise Server Express 5 supports PGP.
This link http://na.blackberry.com/eng/services/business/server/express/features.jsp#tab_tab_security
and has the following info:
“Flexible security architecture
For implementations requiring additional security, PGP®, S/MIME and PGP/MIME are also supported. Over 35 IT policies further support the needs of your business by providing adjustable security levels and capabilities that include the following:
• Impose a device lock-down
• Wipe data from a lost or stolen device
• Wirelessly enforce security settings such as Bluetooth® lockout”
Having read the bit that says “flexible security architecture for implementations requiring additional security, PGP, S/MIME and PGP/MIME are also supported” I thought bingo! This should be quick and easy to configure however after two weeks of pulling my hair out and eventually deciding to bite the bullet, admit defeat and pay for Blackberry support, they have come back to say, “errrr actually it doesn’t support PGP”.
This has been a bit of a blow for me seeing as I had recently deployed a new BES Express server for our business based on this info, predominantly to get the new features such as HTML mail. Alas, when it came down to it I could not find the option to configure PGP in the server and so it turns out neither could their support team.
I guess the bottom line is that you can’t always believe what you read! It is a shame that this little exercise has cost me a support ticket and also two weeks of my time on and off trying to sort this out.
Wednesday, 12 May 2010
Time for change
My only worry is that it will be cuts that are deemed low hanging fruit and the significance or importance is not appreciated compared to a quick budgetary win. As always it is down to perception of what is important to the individual making the cuts and there will be some difficult decisions to make however this should in no way compromise our security or information assurance. Data is precious, it is valuable, I am mindful of the average cost of a record for a data breech and also how valuable data is to the criminal world.
There were some interesting facts presented at the Ecrime Congress in London this year about how much personal data is worth, information about individuals that is being bought and sold around the globe. Credit card details, addresses, bank details, information we all hold dear is being traded.
My overarching fear is that with the exabytes of data that the last government harvested will become vulnerable unless security measures are kept and tightened. This is a difficult task in a climate of prudence and austerity where it would be easier to cancel the security project and save a bit of money now and worry about data loss later which would be a bigger crime than the wasting of billions to date has been.
So by all means cut the waste but let’s not cut back on security, especially when it comes to the data they have about you and me!
Thursday, 6 May 2010
is this the death of PGP innovation?
All business, no matter how big or small, rely on data, without data you cannot function no matter what your business. Think about it, even if you don’t have computers you still keep financial records, transaction histories, customer information. All examples of data. PGP deliver a great product suit that gives end to end protection and has the widest spread of products delivering the most protection in the market.
My only worry is that with Symantec taking them over (along with several other encryption businesses) that the innovation and product diversity will start to dwindle and we will lose what has been, up until now, the market leader with regards to encryption. Their boast used to be that they were agnostic only delivering encryption products rather than a whole portfolio of products with encryption being one of them.
I am interested to see how this develops, especially now that Symantec has binned its consulting division, and I hope that Symantec value the strength of the PGP product portfolio as much as I do and keeps on funding the innovation rather than just absorbing it into their ever growing range of products.
Saturday, 17 April 2010
To patch or not to patch, that is the question...
Well patch Tuesday has been and gone and I see that Microsoft has been put in a difficult situation this month with XP security patches. The month before last they released a patch that, when installed on computers that were infected with the Alureon rootkit, caused the machines to endlessly crash. The dilemma they face is if people suffer a bad experience when applying security patches then they are less likely to apply future patches. A kind of damned if they patch and damned if they don’t.
A lot of people slate Microsoft for producing insecure operating systems but the bottom line is that the products are so huge it is almost impossible to prevent vulnerabilities. Think about the complexity of creating an OS that will run on hardware that is outside of your control. A one size fits all product, it is a tall order. Also if I had a pound for the number of times I have heard "if you buy a Mac you won't have these problems" I would be very rich and it shows how naive this viewpoint is. Macs don’t suffer as much because it doesn’t make the headlines as much due to the number of users. Microsoft has far higher market share so generates more attention when exploited and you have a much wider attack surface.
When XP was first launched it comprised of approximately 40 million lines of code, Vista was 50 million lines, which is a lot of room for unforeseen errors.
So in this round of security updates Microsoft has made smart patches. They will check the machine to determine if it has the Alureon rootkit and if it does it will not install the security update to prevent the machine from endlessly crashing. Whilst I understand this approach it defeats the object of patching in the first place.
I think the only solution to this problem is that if you want machines to be stable and to function correctly then don’t be lazy, secure it with decent products and patch it regularly. After all, a security patch is an admission by Microsoft of a problem and highlights where the problem is, if you don’t fix the problem by patching someone will invariably exploit it.
Monday, 5 April 2010
Don’t we learn from lessons? Obviously not!
It infuriates me, offshoring data management has been proven to be insecure, impossible to regulate and a false economy. It is not cheap, it doesn’t save money in the long run, it costs money because of compensation, the cost of changing personal records and financial details and monitoring accounts for fraudulent transactions.
So a false economy and the stupidity of not learning from others mistakes make us all potential victims of data loss. What makes me even more frustrated is that Principle 8 of the DPA states:
“Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.
Judging by their track record so far I would suggest that the Indian sub-continent has so far been found to be willing when providing adequate levers of protection for the rights and freedoms of data subjects, all that they have done is sell personal details to criminal gangs and now our medical details are about to go the same way.
Sunday, 28 March 2010
Unique selling point?
So my thought is why don’t accountants and the like offer a unique selling point to their clients, a secure way of transferring data. For example a secure portal for clients to login to so they can exchange data or the business supply their clients with encrypted USB sticks with the company logo on it so it advertises the business as well as proving the client with a way of protecting themselves and their data.
The implementation of such a solution could be promoted to the clients and used to secure new business as a USP.
Simple!
Wednesday, 24 March 2010
Quis custodiet ipsos custodes?
For those of you who don’t know a chap called Herve Falciani stole data about some customers with the view to selling this information. He was employed in the IT department so had privileged access to data. What was his motivation? Well it is reported that he was asking £2,000,000 for the data he stole.
Whilst the theft was made over three years ago it is still coming back to haunt not only the business but also the clients. HSBC has had to revise how many records were stolen twice now. First it was a handful, then 15,000 customers and more recently 24,000 customers affected by this theft. The implications are pretty catastrophic, for some more than others, because the details of their accounts have been exposed which in turn could risk them prosecuted by tax authorities!
So is too much power being left in the hands of the IT department? Yes they need some privileges to do their work but how much? As frequently demonstrated too much.
Most organisations have a security model that can be likened to a sieve, they know there are holes so they attempt to plug them. When they discover the next leak, out come the sticking plasters and another hole is plugged. Realistically this takes a great deal of effort, there is usually something that has been overlooked and so can be exploited. The thing is how much monitoring do you put in place and who monitors those doing the monitoring? After all if you have not spotted a security hole you won't be looking for it or monitoring it. At what point do you stop this process as well, there are only finite resources and in the end who will guard the guards
A recent survey has shown that a staggering 59% of ex-employees take some of their employer's data with them when they leave. This is a pretty high figure when you think about it. Over half of all people that have ever worked for a company will have some of its data. All of that data out there, uncontrolled and the business typically blissfully unaware of how many copies are floating about. Once outside the control of the business there is no way to stop how many times said data is subsequently copied.
I was also reminded of when my own business suffered from this very problem. Several years ago an ex-employee, whom I believed I could trust, surfaced at a competitor and as soon as they joined the competitor our clients started to get phone calls and emails telling them this person now worked for them and asking would they like to transfer their business.
Fortunately no personal data was involved however it did highlight to me the weakness we had by trusting people with privileges on our network. Whilst this also doesn’t speak much of this person’s character (especially as when they left I had reassurance from them that they would never do anything to betray any trust) it also made me appreciate how valuable even the smallest amount of data can be to someone else. I don't know what his motivation was, perhaps desperation to get a job so offering a list of potential new business on the condition of a job could have been the angle, I will probably never know and to be honest don't really want to.
We also did not know this was happening but fortunately several of our clients contacted us to make us aware that this was happening and I thank them for their loyalty to us. What made it so obvious was that the competitor had foolishly used privileged information only we had and in doing so exposed it's source.
After this exercise I immediately decided to change the way we worked and how we granted privileges to staff and so rolled persistent encryption on our data so that no matter who had access to our data, if it were ever copied it would be rendered useless outside of the control of our network. Fortunately the product we implemented is very good and forces encryption whenever anything is created but denies the ability of the creator/author to decrypt it.
Whilst I appreciate that this is not a magic bullet (trust me we also have some IDS, DLP and NAC in place as well as usual server security and auditing) I am able to rest more easily at night knowing that if someone has found a new way to copy our data outside of our control, and inevitably they will, it will be in a pretty useless format once they take it away.
After all there is only so much security you can put in place before you prevent someone from being able to do their job so instead of putting in too much, put in smart solutions that give the most protection for the least overhead like we have.
Thursday, 18 March 2010
Something to look forward to...
It has been nine days since my last post. I can't believe I left it so long and a lot has happened since I last posted.
It is now only 19 days until the legislative changes allowing the ICO to up their game and is given real teeth. I have been very busy speaking to various organisations about information assurance and compliance for the new legislation and as it is the same info it is getting a bit samey.
On that note, I notice that Argos has managed to escape falling foul of the changes because the security flaw with their payment confirmation emails is now in the public domain. Even though they have exposed client personal financial data that could have serious implications to the various clients they cannot be fined retrospectively. Mind you I would imagine the PCI is not too happy about them exposing not only client credit card details but also the CVV as well so I would imagine there will be discomfort coming their way.
I am looking forward to April where I will be attending the Counter Terror Expo and also InfoSec. I have never been to the counter terror expo but some of the presentations caught my eye as there are a lot of parallels with some of the work I do. It should be an interesting expo. I am also looking forward to InfoSec, I enjoy attending this and it is an opportunity to meet up with some familiar faces. I am meeting up with at least two ex colleagues which should be a good laugh.
Tuesday, 9 March 2010
28 days later...
After April 6th I wonder if we will see similar panic and terror on the streets as we did in the film?
Wednesday, 3 March 2010
How much is fraud costing you, it could be more than you think!
Fraud is estimated to cost the UK economy between £13bn and £20bn every year! This equates to a cost of £330 for every person in the country, every man, woman and child which is paid for through higher charges for goods and services and through higher taxes. The cost of every act of fraud is passed onto the end consumer to pay for it.
On average 6% of an organisation’s annual revenue is lost to fraud and 58% of these fraudulent activities are committed due to inadequate controls within the business.
So thinking about it, because a business doesn’t take their security seriously enough, it costs you and me, on average, £330 per year, each!
I don’t think this is fair. OK there will be crimes that are difficult to stop, but it would be nice for them to make a bit more of an effort. It is well-known by industry that most frauds that are carried out in the UK are done so by well educated, married men between the ages of 35 and 44.
Whilst I appreciate you can’t prevent everything, implementing tighter controls would mean that the level of fraud would come down and the net benefit would be that we would get cheaper goods and services. The knock on effect would also be that individuals would see fewer cases of identity theft so less angst in having to resolve it.
I would guarantee you that if you call a business and ask them if they have adequate security in place they will say they have but the reality is always way short of the mark.
Thursday, 25 February 2010
A good day...
Over lunch we got talking about the good old days when we worked together in Belgravia and how we managed to achieve so much with what little technology we had at the time. Looking back it is funny to think how we did especially when we reminisced about some of the implementations in the organisation and the now primitive features we relied on.
This got me thinking back even further to the spec of my first ever computer; it had 3K of working memory in total and used an audio tape player for storage. It was a Commodore Vic 20 and it was what made me embark on a career in computing, I have to thank my father for making the significant investment (which it was at the time) in the computer, I got bitten by the bug and have spent my entire working life in IT.
It is strange to think that I am typing this blog on my netbook whilst I sit on a train, I am online and I am taking all of this granted, it just works without me needing to worry. My netbook (let’s face it, by their very nature they are not the best spec) has 666,666.66667 times more working RAM than my first ever computer which is a massive leap in size, that is six hundred and sixty six thousand, six hundred and sixty six times more RAM, it is just mind boggling!
The first PC I worked on had a 20MB hard disk and it was cutting edge at the time, I would be amazed to see any computer OS run in less RAM than that nowadays. My little netbook has a 128GB solid state drive, 6400 times more storage that the first PC I worked on and the access times are significantly faster.
So where am I going with all of this? Well this shows how computers have evolved. It is common place now to have more RAM in a computer than you had as total storage in a computer just a few brief years ago and people now have storage in workstations measured in terabytes and for business network storage measured in petabytes.
As computers get ever more complicated, so do the threats and it is the challenge that we face to keep one step ahead in the IT security arms race that keeps my job interesting.
I find it hard to imagine what life would be like now without my computers however I also struggle to imagine what leaps and bounds that will be made that will be as significant as the last 20 years however I look forward to finding out.
Monday, 22 February 2010
The endpoint is nigh
I have been playing with endpoint device control lately, different products from different vendors and I must say they offer some very good features. It has been a bit of fun deploying these tools, breaking machines and totally restricting their functionality and then working out how to make them work again.
It has been a great exercise, these products are great at controlling devices however I also get the sense of false security as they also offer the opportunity for things to slip through the net. You have to be very careful with the configuration, too tight and people can't work, too slack and there is no point in having it, it is finding that balance and the constant tuning that is required that kills this as a viable solution for me.
To me endpoint device management is quite a messy way to control your environment, after all, why do people have it? Typically to prevent things being copied that should not be, however if they have the ability to get the data as far as their machine then it is pretty much too late by that stage.
The bottom line is I can think of easier ways to prevent data loss and stop people from copying your data.
Friday, 19 February 2010
The virus spreads
Again it will take up to a week to clean all of the infected machines. So here we have people having to work over the weekend as well as the normal working week in order to mop up a mess that could have been prevented by simple patching.
This is just unforgivable and must be costing a fortune to mop up the results of sloppy IT management and security, how do these people justify their positions with these results?
Tuesday, 16 February 2010
Viruses found in hospital!
This time it was the Leeds Trust which has been hit by the Conficker worm. Why is it so hard to patch computers? I am really frustrated when organisations don’t do something as simple as apply patches that allows this type of infection to occur, especially when it affects systems that are, by their very nature, sensitive.
I would bet that the amount of effort that has gone into the clean-up process is far more than it would have taken to patch the servers in the first place which in turn would have prevented this incident in the first place.
A statement said “they think they know the source of the infection”. In other words the source may well be not what they think it is, they are not definite. The suspected source is an old laptop that was plugged into the network.
What I find worrying is that a computer could just be plugged into the network without automated checks on the machine’s state, no quarantining of the device until it was confirmed to have current AV signatures so we end up with an infection, it was just allowed to connect and infect.
I appreciate that budgets are tight and that everything is risk based but come on, what are the chances of having people who are too lazy to patch. Quite high in this case!
This is basic stuff, patching coupled with simple network access control which is not expensive. If anything the mop up and remedial work is more expensive when you factor in the cost of disrupting all of the staff that cannot work due to the outage. It has taken them a week to sort this problem out.
I want to see a more robust approach to security, especially weak areas such as simply patching servers and allowing machines to access the network without any basic NAC . There are some tip top products out there that are not overly expensive and will do the job really well, it is just a shame organisations that hold our confidential data (and you can’t really get more confidential than health records) are not implementing them.
I think it is about time that the NHS was given a directive with serious penalties so that they actually do something about the awful state it is in. It is a bit harsh but I would like to see a few heads roll in future, that might make people in the NHS take computer security seriously.
Saturday, 6 February 2010
Good or bad, I'm on the fence.
I am not sure if this is a good thing.
Whilst I admire them for having the confidence in their product to invite deliberate attempts to compromise it and find flaws the cynical part of me is thinking hold on, this is just a cheap way of QA'ing code.
I am in two minds and I can’t decide if this approach is a good or a bad idea. Sure, commercially it is a good idea, you get a multitude of amateur testers working in their spare time, for free, and all it costs is $500 for each flaw they find. Genius!
But I am worried that someone will decide it is cheaper to release minimally tested products and offer a bounty for finding flaws than to properly test it.
I am hoping I am just being cynical and all products that get released are secure and this is just a marketing ploy to grab headlines. Mind you, suppose their product is totally flawed, it could be more expensive than they anticipated!
Wednesday, 3 February 2010
Here comes trouble...
It will only need one prosecution to be publicised for businesses to start to take this seriously and we will finally see security taken seriously.
It is a shame that it has had to come to this but because, from my experience, a lot of organisations have always gone for the cheapest solution which doesn’t cut the mustard, it can only be a good thing and can't come soon enough.
Friday, 29 January 2010
Rotten Apple?
I was fascinated to see the BBC website providing so much free advertising to Apple and their new iPad. I can’t understand the hype around this product, it is meant to be a device to open up a whole new market segment. I am sorry, a new market segment? Don’t they mean an old, stale market segment that has never taken off and will probably not but one Apple can exploit because their target audience is people who put brand over function and will buy shiny Apple products no matter what they are?
When I first saw the iPad my first impression was it is a big iPhone. Sometimes in the weekend papers you get a catalogue and one of the items of tat for sale is typically a mobile phone aimed at the older consumer, you know the type, it has a simple display and BIG chunky buttons. That is what the iPad looked like to me, an iPhone for the elderly.
Don’t get me wrong, I do like some of the products that Apple produces, I own some of them, I just don’t think Apple deserves the hype they get each time they launch something, especially something as lame as this.
Let’s cut through the Apple veneer and look at the reality of tablet computing. They are difficult to use unless you like clipboards because you need one arm to cradle the device so it is one handed typing if you use it whilst you are out and about. The iPad is touch screen only so no handwriting unlike other tablet devices that support a stylus. From the tech specs and reviews it appears not to be able to multitask, it is more linear so you need to exit one then launch the next application each time you switch between them. They are cagy about the internal spec, speeds and memory due to them saying it is proprietary and cannot be compared like for like but I don’t buy this argument, I think what are they ashamed of?
Personally, I would look at the new HP Tablet IF I were considering one handed awkward computing, but then personally I would not look at tablets full stop. Instead I think the best route, if you want a device without optical media, is to go down the Netbook route. At least you get multitasking, the ability to connect external devices and the option to install different applications that are not all channelled through an expensive online portal that holds you and the device to ransom.
I don’t want to comment further, suffice to say that Apple are genius at appealing to a narrow sector of society and always will be. On this basis my gut feel is that this device will fill a gap in the market, not a technological gap but an emotional gap in the lives of people who are Apple fans who just have to have one, then ask what does it do.
My prediction is we will see a lot of iPads on eBay in about 3 months after people get exasperated with tablet computing. It is not new, it has never really worked and it never will for the mass market, they are hard to use and the novelty wears off really quickly.
Judging by the technical reviews (not the gushy non-techie journos who are infatuated with Apple) and how I predict users will typically feel after the initial shiny shiny new gadget feeling has worn off and they have get to grips with using it regularly I think it will be dubbed the iSlate!
Tuesday, 26 January 2010
Look after your data….
If you have read my previous posts you have probably guessed that I have a bit of a thing about data security. Thinking about it, why do we have security in organisations? What is it protecting? Ultimately it is protecting what that organisation values which in the IT world is data. Without data computers are just tin and wires.
This is why I have taken to standing on my electronic soap box and start ranting about data security!
I happen to think it is a very important subject and deserves a lot more attention than most organisations give to it.
From my experience there are many excuses, the most common being cost, this really annoys me. It is much cheaper to implement good security and prevent a data breech than to suffer the cost and consequences of having to retrofit security.
The second is “we don’t have anything that needs securing”, again this really annoys me and it is utter crap. It shows they don’t value their data. People who have this approach only really value something when it is gone. There are some lighter moments in my life when I see peoples worlds crumble when they realise their data is more important than they were saying.
The third is “we have something already which is good enough”, typically just disk encryption, don’t start me off on that one again!
I so often see poor data security which was implemented as a knee jerk reaction. This typically ends in an expensive disaster, swiftly plugging a security hole without any planning leads to years of suffering the consequences.
I am mindful of a case where an overenthusiastic organisation had gone to great lengths to encrypt their archive data following a data breech. Their approach was typical “we have had a breech, let’s fix it ASAP”. The person that was made responsible for the project dutifully encrypted all of the archive data but did not documented the implementation and subsequently left the organisation. The archive data was accessed so infrequently that no one knew they could not decrypt the data without the information in their ex-colleagues head. Now came the time to access archive data and the found they couldn’t, there were terabytes of scrambled data that was no use to them.
Priceless!
Sunday, 24 January 2010
The false economy of shutting the stable door after the horse has bolted
Look, I know budgets are tight but surely it makes sense to look at the entire estate and resolve all of your security issues in one hit rather than the on-going cost of fire fighting.
When a company has a security breech there are several things to consider, the first is the tangible cost of resolving the problem. This is what organisations focus on because, as I said, it is tangible.
The second is the intangible cost of the problem, one that is not so readily seen and the effects can take a while to be noticed but by then can be too late and can devastate a business because they were unprepared for them. The intangibles are made up of several factors, reputation damage which affects how much existing business you will retain and how much new business you lose as a result of shoddy security. How many clients will want to do business with an organisation that exposes their details? There is also the cost of damages and making right, for example if the organisation exposes financial details then there is the cost of monitoring accounts for fraudulent transactions which all adds to the costs.
I won’t go into the long list of intangibles because they vary from industry to industry however what I can tell you is that year on year the cost of a data loss has gone up. How do I know? Every year, the Ponemon Institute publishes the average cost of a data breech and it is printed there in black and white. If you want a copy, email me and I will send you a copy of the reports.
There are numerous cases where businesses have gone bust as a direct result of being cheap with computer security.
So when asking those higher up the company food chain for an IT security budget, find out if they have business insurance for fire and theft, I know this sounds a bit off topic but bear with me. Businesses don’t typically burn down that often and whilst we perceive crime to generally be on the up, the instances we deal with are thankfully few and far between (unless you are in the police or insurance game) so why do business bosses feel the need to insure against these things but not insure against data loss? The bottom line is businesses do plan for these possibilities and have mitigation and planning to deal with them, and so you can argue the same case for data security?
So the message for today is to think of computer security as another form of business insurance, because whilst you don’t want to be in a situation where you have to use your insurance, you are bloody glad you’ve got it when you really need it and so will the bosses of the business.
Saturday, 23 January 2010
Who is responsible for data security?
This is one of my favourite topics and one that businesses typically overlook.
Let’s look at an imaginary example with the rather snazzy names of The XYZ Coffee Bean Company and Acme Payroll Services. The XYZ Coffee Bean Company has outsourced payroll processing to Acme Payroll Services. Acme Payroll Services now holds personal information, bank details etc for all of the staff at The XYZ Coffee Bean Company. Acme Payroll Services has a security breech and the personal details of staff at The XYZ Coffee Bean Company are stolen.
Q. Whose responsibility was it to secure The XYZ Coffee Bean Company payroll data that was stolen from Acme Payroll Services?
A. The XYZ Coffee Bean Company.
This answer usually surprises people, after all Acme Payroll Services should have provided a duty of care to The XYZ Coffee Bean Company and Acme Payroll Services should have been responsible for securing their own environment and protecting their customers? Morally the answer is yes, legally the answer is nope!
I have been speaking to lots of organisations about Section 144 of the Criminal Justice and Immigration Act of 2008 because it sets out the responsibility of the data controller / custodian (who owns the data) and the data processor (who handles the data). It has been a scary journey with most organisations being unaware of this. I am afraid that if an organisation owns the data, then that organisation is responsible for it, no matter where it goes, even to third party organisations.
I think this approach is great because it puts to responsibility directly onto the company that initially gathered the data. I want to know that if I give my personal details to The XYZ Coffee Bean Company they will be legally bound to ensure it is looked after, no matter where it goes. If they don’t take care of it, they are liable, not the third parties that they farm my data off to so it should make them more responsible.
Wouldn’t it be refreshing if (a) organisations actually knew Section 144 exists and then (b) put processes in place to ensure they complied with it?
Never mind, I guess until more organisations take section 144 seriously we will continue to have a slipshod approach to securing data.
Thursday, 21 January 2010
Encryption for the masses?
What you ask?
Those who know me know I have been banging on about data security for some time now so will be wondering why am I now asking if encryption is a good thing? In reality I am not questioning if encryption is a good thing, of course it is (so long as you remember passphrases etc) but is choosing an encryption product because it comes with an antivirus product the best way to do it?
Why have anti-virus companies suddenly taken an interest in encryption? If you read the vendor websites they say it is because they now offer a total endpoint security solution. Noble marketing but is it the real motive?
I don’t think so, I think it is just a product USP arms race, one vendor offered encryption and suddenly had a USP and so the rest followed suit not to be left behind. Is this best way to get disk encryption? If you are a home user, probably, yes, if you are an organisation I think not.
The thing is by using an anti-virus bundle you are tied to them. Rip and replace of anti-virus software is comparatively simple compared to ripping and replacing disk encryption.
Wednesday, 20 January 2010
New year, new attitudes?
I have a personal interest in this, as should you, because organisations out there hold personal information about all of us. I have no idea how many organisation hold data about me but thinking about how many things I am subscribed to, companies I have done business with or have had dealings with, it is lots and I would be very surprised if any of it is encrypted.
I want organisations to provide a duty of care and not to have my personal details compromised if they have a security breech. I want people to look after my personal information as I am sure you want them to look after yours.
Computers have changed everyone’s lives both directly and indirectly. Storage has become cheaper and larger in size, and portable devices are smaller in volume but larger in capacity and more portable than ever. More data can be stored in smaller devices which means more can be lost or stolen.
People’s third hand experience of computers within organisations is mostly positive but some people’s experience has been bad and in some extreme cases catastrophic.
The cases I am thinking of are when people are the victims of someone else losing their data, not through any fault of their own but because an individual or organisation that was entrusted with their personal information has not had the decency to secure it properly.
The most prolific case in the UK being HMRC losing two disks with all of the child benefit details, approximately 25 million financial records. I was one of the 25 million victims who had personal bank details exposed.
We are forever told about the risk of identity theft and how we should protect ourselves but it is all for nothing if others can’t be bothered to secure our personal details.
In the past it has not been a criminal activity for an organisation to lose your personal details but hopefully thing are about to change in the UK and it is about time too!
Most organisations are blissfully unaware of these upcoming changes or how it will affect them both in terms of what has already been implemented and what is proposed. I am hoping this legislation will change the approach of organisations towards security.
My biggest pet hate at the moment is a blasé attitude towards data security. I have heard “We have implemented disk encryption so we should be covered” so many times and it is such a naïve approach. This sort of approach is like getting the biggest and best locks on the front door of your house, bolting it shut and declaring that no burglars can get but at the same time leaving every window of you house open.
Yes encrypting a hard disk has secured one portion of your estate but it hasn’t secured all of it and where there is insecure data, there is risk.
Data is probably an organisations biggest hidden asset and, unless you are a cat farmer, the most difficult to control.
I would challenge any organisation to declare they know exactly where all of their data is and how many copies there are. Most organisations have little if any control over their data worryingly both in the public and private sectors, most of which leak data like sieves with the biggest offender being the NHS in the UK.
A while ago disk encryption was high on everyone’s agendas, cases like the Nationwide Building Society having a laptop stolen with 11 million customer records on it highlighted the vulnerability of computers that were portable and so a wave of disk encryption started. Great, people started to implement security, the five lever lock was fitted to the front door. Now it is time to get the window locks and burglar alarm fitted. It is time for people to look at securing data, not devices.
You see it is not the computers that are portable, although I have heard many stories of computers walking, it is the data. Most organisations still try to prevent data from being copied but there are too many holes to plug. I say let users copy the data, as much as they want, I say just make sure the data is useless when it is outside of the organisations control, if it is encrypted it is gobbledegook and useless.
It doesn’t matter if you work in the public or private sector, change is afoot and there will be big fines and also the chance to languish at her majesty’s recreational facilities for criminals.
Hopefully when people start getting £500,000 fines for losing data people will start to take this matter seriously.