Tuesday, 11 June 2013

How to embrace the the cloud to improve information management

I'm involved in quite a few activities at present, and the Cloud provides a dynamic scalable environment to foster collaboration. I do, however see old behaviours creep in that actually weakens the governance surrounding Cloud services; which has led to this post, how can you embrace the Cloud to improve information management?

First off, this post assumes that you have assessed your information and supplier of Cloud services to ensure that your risks are managed by the information stored within the Cloud.

So with that area covered, there are four main areas to consider; authentication, access management, collaboration and backup.

Authentication - how many factors can you employ?

Microsoft Office 365 doesn't allow you to use the powerful multi-factor authentication it uses in it's free consumer email and file storage (i.e. Outlook.com and Skydrive) which is frankly bemusing to me.

Google Docs on the other hand supports a myriad of multi-factor authentication mechanisms across all services, ranging from one time text to mobile to Google authenticator and passphrases per service (the latter two are supported in Outlook and Skydrive, but not O365).

Access management - how do you control access to information?

Microsoft Office 365 has a good set of built in permissions, including "everyone except external users", but doesn't appear to prevent download. SharePlus Pro, GoodReader or Quick Office are good solutions for restricting access via PIN.

Google Docs can enforce a "don't allow download" option, but also allows access management via it's purchase of Quick Office (Google Drive doesn't allow a PIN). The latter may not be an issue unless the mobile device you use, and let's face it it's when most of us have the time to process the documents, is only used by you then this is an issue; unless you are provided with a tablet device by work, you will use the electronic baby sitter (aka tablet, does BYOD actually stand for Bring Your Own Dummy?).

One note though, this only works if you share documents as links, not if you use the old methods of circulating documents within emails. This applies to both solutions, and I'd always recommend using domain emails (If you already have a Google Docs account, then this is a free option), with the option to forward emails to other accounts for those organisations who haven't yet woken up to Cloud adoption.

Collaboration - how can you collaborate on one version of the truth?

This depends fully on the use of domain level links, as otherwise your managing at least two circles of trust; that of your Cloud service, and that of the various organisations who participate. By sending links to domain accounts means that all comments on documents are captured in real time and reduce the administration effort in collating views. It also negates the situations whereby people are looking an outdated document, or even see that their comments are already captured.

The main difference between Office 365 and Google Docs in this area is that Office 365 requires you to check a document out, whereas Google Docs allows real time collaboration on files created in its own formats (i.e. you can't collaborate on Microsoft Office file formats at all).

Backup - can you recover from a loss of data?

The main item to consider here is how do you maintain an offline copy of all your data and ensure that issues don't occur. True Cloud solutions like Microsoft Office 365 and Google Docs are great for maintaining the files, but beware of using systems such as Dropbox as a deletion of a file is automatically replicated across all other copies (or in my case a disable of the agent in one Mac; where I deleted the files, and then renamed the agent by mistake and it then tried to replicate the deletion across my document store).

Given that UK Companies legislation requires companies to maintain the primary copies of all company records within the UK, this is something you may wish to consider.

- Posted on the move, please excuse typos!

Friday, 17 February 2012

If you could have one wish, what would it be?

I’ve recently saw an analogy that relates the Cloud to a bank, the analogy made sense when I first looked at it as it stated that the safety of your money relied on the security of your PIN. As I began to consider this further, I realised that this analogy needed further development, and could then relate to the current state of ‘security’ as we understand it.

You see, we trust the banks; indeed our paper money is based on a promise to pay the person who holds the bit of paper from a trusted authority (Bank in this case). This concept dates back to the Knights Templar and promissory notes, and holds for as long as the method used to transact could be trusted. The trust we had in the Templars is exactly the same as we have in the banking system, that is to say it’s a blind faith in the infrastructure based on reputation.

How does this relate to my important thing to crack over the next year? My important thing to crack is to realise that the blind faith that we have in security is as foolhardy as the blind faith we have in our money being safe within the banking sector.

This isn’t a political statement; but just as the banking industry is based on the old teller model, so is our security industry based on the security principles that assume a similar context. Both models have proven to be unsuccessful at protecting assets since the dawn of Web 2.0, as can be shown if you are subject to fraud on your account; the bank simply accepts that fraud can occur and pays out rather than create the systems to protect your money when the transaction is no longer conducted within the bank itself.

We need to understand that in order to evolve into a business function, the security industry has to move towards understanding the information asset; this necessitates a move beyond the protection, toward the accuracy and availability which provides business value. All three attributes are at odds with each other, but we can no longer assume that security exists in any context.

In order to evolve beyond our current state, we need simply understand two immutable facts; a control is rarely a solution in isolation, and controls to a defined risk rarely result in the spate of fines that have driven the focus towards compliance risk management.

Once we realise that a state of security is no longer achievable, and instead undertake the risk management for information assets that is required within the current information society, real progress can be achieved.

Friday, 15 February 2008

Perpetual Compliance Initiatives – have we understood the real meaning of PCI?

The information security industry reached a point of maturity during 2007, where companies scrambled to comply with the realities of various legislation, regulation and security standards that started to gain prominence in the boardrooms of UK Plc’s and beyond.

Annus mirabilis? – Security lessons reach the Nation(wide)!

First we had the fine of Nationwide by the FSA under the third principle of FSA’s principles for business which states “that a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.” The fine related to a loss of a laptop where it was found that Nationwide did not have adequate information security procedures and controls in place, and that it was not aware that the laptop contained confidential customer information. This resulted in a near £1 million which fine sent shockwaves throughout boardrooms.

So what was the result? Did we see an improvement in the information security procedures and risk management systems? Or course not, we saw the sales of laptop encryption products rise to a level that was never previously seen.

We then had the revised version of the Payment Card Industry Data Security Standard (PCI-DSS), initially released in June 2005, which superseded the initial version in January 2007. Now you might say that the PCI-DSS surely came before the FSA fine? You would be correct, but the point I am making here is that the knowledge of this contractual obligation only happened after a frenzy of understanding driven by the vendor community which is still continuing to this day, with any seminar including PCI in it’s title being well attended. The PCI-DSS has proven to be a very profitable business for the QSA (PCI Qualified Security Assessor) and ASV (Approved Scanning Vendor) alike, as businesses struggle to grapple with a security standard which is quite clear and prescriptive in it’s intentions. The visibility of the PCI-DSS is/was also assisted by the amount of press coverage given to the pilfering of credit card details from the systems of TJX in the USA, although it must also be stated that this visibility was greatly helped by the promise of fines for non-compliance.

We also finished the year with a high-profile loss of customer details from the HMRC, due to a lowly employee posting the full details of millions of child benefit claimants through the post. This, combined with other personal data losses, made front page news and gained scorn from the popular press and politicians alike as the government was judged to be incapable of providing the same level of security as the private companies within the UK provide.

So what’s the issue then?

The PCI-DSS, along with the effect that the Nationwide fine had, is indeed a welcome fillip to the industry as a whole; we have for too long been seen as techie nerds who have a propensity to speak in binary and stop business happening.

With a new-found prominence of the failures of non-technical controls within the popular press, and the opportunity to build upon the business understanding started by Sarbanes-Oxley that would surely be cultivated by, and prosper under the obligation to comply with the PCI-DSS, the role of security functions would surely be elevated in the structure of organisations. Sadly, this has been an opportunity lost to date; the culture of ‘Good enough’ security from 2006, embarking on the continual quest for compliance rather than excellence, and a failure to provide the security professional of today with the non-technical skills to converse with their business counterparts has created a stalemate.

Experience shows that the true route to compliance for the PCI-DSS comes from understanding how the business works and where security controls can be introduced to gain compliance. This is truly a unique opportunity for security functions to understand the workings of their business and the business to understand where the security function can add value and structure to their revenue streams. However, many companies look towards business analysts to provide the expertise to achieve compliance, placing a buffer layer between the two areas and yet another chance for the communication to become misunderstood.

Similarly, the Nationwide fine was a unique opportunity for security functions to highlight that it was not the lack of technical controls that resulted in the fine, but lack of understanding the risk due to it’s business processes. Similarly this opportunity was lost with a flurry of additional technical complexity being introduced without a similar improvement in the structure and quality of risk assessment and procedural architecture.

Do the above examples show business value, or are they nothing more than a tolerable cost? The current short-term approach to security cannot be sustained in it’s current form, with companies being forced to spend money on the next big thing without any evidence of improvement of the security infrastructure within their organisation.

Solving the current malaise

The lack of understanding of the skills required within the security industry to banish the tired rhetoric causing the current perception from business professionals exacerbates the above issues. We talk about security architects instead of consultants and consultants instead of engineers/technicians. We as an industry need to shake off the jeans and trainers, and adopt the business suit, attitude and language to change the perception within the boardroom.

Ask yourself a few searching questions:

· When did I last ask what our business wants to do in a month , six months and year?
· Do I understand the laws and regulations that affect my company well enough to explain them to a child?
· Could/would I explain to the person in sales why they should involve me? Does that explanation include what’s in it for them?
· Do I look to relate the technical security issues to a law and/or regulation instead?
· Can I provide security metrics that can be understood and actually show progress?
· Do I dress like my peers in the business departments?

The simple fact is that every one of the above are important, even dressing in the same manner as your peers in other areas of the business is as important to breaking down the sub-conscious psychological barriers that can affect the way that people interact. If you’re a manager, or other senior security professional, do you really need all those technical skills or do you need someone who can win the hearts and minds and become the friend of the business? Do you consider the understanding of the legal and/or regulatory issues that you and your teams have?

Other examples of where to show improvement are in metrics and strategic alignment; ask yourself some more questions:

· Do I look to find and measure the root cause of attacks within your organisation rather than just present the amount of viruses detected last month?
· Do I consider the applications and systems that require the same protection levels and group them in the same network and system builds (eg Sensitive data requires encryption, more secure systems etc)? If you answered no, or indeed feel that this is unrealistic, consider that most infrastructure gets refreshed within a five year period (Or less). The business benefits of creating these logical domains of trust can include the ability to adopt risky technologies that have a significant cost-saving through the lowering the residual risk, and the improvement of security monitoring through the control of systems. This provides a win for the business and a win for the security function.

Through designing a security architecture with tangible business benefits, and providing meaningful security metrics, early adopters of the business security mindset can elevate themselves to the same usefulness as other professions such as accountants.

This is isn’t a quick fix, but you have a responsibility to educate others and ensure that business comes to you to help them rather than them run away from you.

Tuesday, 18 December 2007

Securing data - is it really just a problem in government?


We've seen an upsurge in interesting leaks recently regarding data that you would wish to be private, from Her Majesty's Revenue and Customs (HMRC) to the Driver's Vehicle Licensing Agency (DVLA). I've heard so much hyperbole surrounding this issue, with everyone from former Identity fraudsters through to industry experts and MPs commenting on how poorly the government is dealing with the issue of security compared to private companies.

The reality, however, is different; information is being continually leaked from companies with the most recent instances being that from TK-Maxx and Nationwide. Now these are the ones that you have heard of and that could not be denied, but what about those where a person send data to a business partner without checking their security? What about the ones where unencrypted personal data is sent through the post without checks being carried out with regards to the protection required for the data held within it? What about your payment card details being passed to a person with no mandatory protection at all over a phonecall with all the details required to make payments?

Ignorance is bliss!

Don't believe that the above could happen? Think again, there is no standard that companies have to follow regarding security yet many laws that control many other aspects of corporate life. In my previous professional life, the assessments of companies from a security standpoint would often show surprising results; large companies would often have little understanding of the most basic law regarding your privacy - the Data Protection Act 1998 (DPA '98). More concerning is the amount of small companies hosting copies of their customers' (ie Larger companies) customer data having no protection due to them being "too small to have the ability to understand security"! Think about the last point - if you have anti-virus and a firewall and update your Windows system regularly then you are very likely to be more secure than companies storing your customer data outside of the control of the very company that you have entrusted it to!

I have been the victim of data loss three times now over the past year - twice due to a hacking attack and once due to the loss of a CD-ROM (Guess which one!). The hacking attacks were due to the use of eCommerce, and the first of these gave the most glaring example of the issues that we all face - blissful ignorance!

With a marked downturn in physical 'offline' sales this Xmas compared to a 50% increase in 'online' sales, this is probably one of the most relevant topics of conversation, but one that is missed by all of the popular press during the recent data losses!

Returning to the case of blissful ignorance, the company in question had suffered a loss of over 100,000 customer records and when I enquired as to the reason I was told firmly that I was the only customer who didn't understand that the company was the victim here! I was astounded, and when I pressed further was firmly told that the company couldn't be expected to understand the ways that websites can be broken into! This attitude is akin to a person who owns a traditional shop saying that he/she didn't realise that they had to lock the doors and windows at night, and that would never be tolerated by the public at large (Hopefully) as they understand that you would have to do that and they would do this very activity at home.

Understanding the issues

Is security really that hard to comprehend? Well you might say that it's easy for me to say this as I have many years experience in both offline and online security to provide me with an understanding, but I believe that the issue is this - financial savings can be made from the use of the online environment, but with it comes a need for further protections that cost money themselves. If your purse/wallet was stolen then you could apportion blame as you had taken all reasonable precautions, but many companies either leave their purse/wallet in full public view or entrust it to a stranger if we were to continue the analogy.

An interesting point to be raised with this analogy is this - if the purse/wallet was to be stolen then it's theft, but is it theft if customer data is stolen from a website? Within the UK, the answer is no, as the legal definition of theft in the UK is “the dishonest appropriation of property belonging to another with the intention of permanently depriving that person of it”. In english, this means that unless you prevent access to the data, then it's not theft.

This is part of the problem here, you walk into a bank and steal money using a weapon then it's armed robbery and the proof that the robber used the weapon is just part of the trial. Steal money, customer and/or credit card data and it's computer crime/hacking - theft doesn't get mentioned at all! This lack of alignment with computer-related theft into the normal statute means that it's allowed to be complicated in techno-babble rather than related to something that we all understand.

Effective laws?

Computer-related theft has to be tried under the Computer Misuse Act 1990 (CMA '90) which focusses on unauthorised access rather than the intent. As you may be able to gather, this law is now 17 years old and was updated recently to tackle denial of service attacks (The online equivalent of disrupting commerce by blocking access to a shop). No attempt has been made to address the outdated definition of theft; why does this matter, the amount of successful convictions for computer-related theft under the CMA '90 is minimal to my knowledge. Don't believe me? Let's look at the following examples:

In March 2000, Raphael Gray utilised a flaw within a web server to obtain credit card details from a number of websites, including the details of Bill Gates. Gray was subsequently charged under sections two and three of the CMA '90 for the access to the web servers.

In this case, defence council successfully argued that the technique used to exploit the vulnerability, which also disabled logging, could not be brought to trial as there was no evidence to prove that this was successful; even though there were logs to show that Gray had attempted this unsuccessfully on the same device. This defence was mounted on the premise that all websites are designed to be accessed from the internet and at no time after conducting the attack was Gray notified that he was entering a restricted area, either by being presented with a window asking for authentication credentials or even a message stating that the area he was entering was restricted. Gray eventually accepted a plea bargain to plead guilty to the charges under section one in relation to the hacking of the web server in exchange for a more lenient sentence (He was also indicted under the fraudulent use of the stolen credit cards).

In another case, Daniel Cuthbert attempted a directory traversal attack on the DEC website, on New Year’s Eve 2004, by entering /../../ after suspecting it to be a ‘Phishing’ website. The Intrusion Detection Systems at the hosting ISP picked this activity up and informed the police. Although Justice Purdy accepted that Cuthbert had not intended to cause any damage, he found Cuthbert guilty under section one as intent was not required to be proven, but also stated there was almost no case law in this area.

In both of the above cases, the conviction was for the same offence, but the intent was vastly different. The statement of Justice Purdy regarding the lack of case law is wholly correct with regards to web application hacking. Just as the onus to define authorisation with regards to access needs to be defined for networked systems to bring a prosecution under the CMA '90, there is a need to ensure that web applications are fully tested to prevent disclosure of information unless the correct authorisation mechanism has been complied with.


If the government is failing in any areas, it's in the outdated laws regarding computer-related theft, the lack of forcing companies to secure their data and a complete absence of laws forcing all UK companies to have a certain level of security. We need a better public understanding of what the issues are and how to protect themselves, and the government can support this but UK plc has to take a stand too.