Over the last year or so I have been involved in a number of initiatives that have privacy as a key aspect to it whether it was work on Attribute Exchange, NSTIC or FICAM Federal PKI policies. I am one of the people that has had their eyes opened more and more with respect to the aspects of privacy.
Yes I do understand there is a balance when it comes to privacy. Usability is a factor as well as governance and oversight. In that regard I read an interesting interview with Viviane Reding, Vice-President of the European Commission. It brings up some interesting ideas on privacy, especially in regards to the individual and data protection as well as governance/oversight.
One of the interesting aspects of this is the difference in governmental views on how to deliver on privacy. Recent White House discussions center around self-governance/monitoring while EC initiative are driven centrally through the Government. This tends to reflect the traditional view of European governments and identity while the US has been careful about any form of National Identity. The US political views seem to focus on commercial delivery of identity solutions. Not a bad thing when you are in the identity business but that business comes with risk, especially when federated identity requires interoperability of these identity infrastructures. How does one guarantee compliance without the external oversight? yes there are great organizations that can manage and police, ones like those structured around the Trusted Framework Providers program within the US Government but how does that match to what is happening in Europe and elsewhere? If an IDP has to build separate infrastructures for separate markets then how does that business truly operate globally?
I am not suggesting that the US approach is wrong or right - nor am I suggestion the EC has the perfect answer but there does need to be a way to marry the discussions so the questions of risk mitigation for companies, both IDPs and RPs can be managed. Lets hope that the discussions happening today get us toward that business nirvana.
Tuesday, November 22, 2011
Wednesday, November 9, 2011
Is the sky really falling on the security world?
One has to wonder if this is the year when someone mentions security and we get a collective guffaw or is it truly a case of people are starting to pay real attention. I like to believe the latter but then I see article from Dark Reading on an Ernst & Young Report "Security is Still an Afterthought..." and I am not sure. Certainly attention in the media can be a good thing in that it should get people thinking. I certainly start thinking when I see news of breaches, attacks or vulnerabilities - "Do I have to worry about my environments?" "Is this an opportunity to share knowledge?" or "Is this an opportunity to look at a system differently?". Part of the issue I have with the coverage though is that there is usually the sensationalist article "<insert technology here> is Broken" and it gets mainstream attention and explaining to people the real story then takes lots of time.
Experience has taught me that it is not always a case of technology being broken. Now grant it we have had those cases but generally speaking what we have seen lately is not technology being broken but technology being poorly leveraged or poorly implemented. Lets take some examples:
- The RSA breach: Why was it as bad as it was? Well someone had left critical data on a networked computer. Is the RSA two factor solution a bad technology - NO! Did the implementation of their infrastructure have some fundamental design/implementation issues - YES.
- The Comodo attack: Is PKI a broken technology - NO! Did Comodo miss some fundamental implementation rules be not having strong multi-factor authentication for their RAs and not having back-end checking for domain use during issuance - It certainly looks like it.
- BEAST: Is SSL/TLS a bad technical specification - fundamentally NO! Have browser, server and other vendors that leverage SSL/TLS done a good enough job in keeping abreast with updates based on enhancements to the specification - obviously NOT!
So what do we learn from this - yes we do need to pay attention to the press, whether it be a trusted blogger or trusted news source. The data that they deliver though is only one piece of the picture so we need to make sure we take that data, add to it and then assess what it means in our personal, corporate or organizational content.
It is an old adage but it is not just technology - you need to consider the people and process around it. That includes education, policy, implementation and all the other elements that make up a good security plan.
So CL you are safe - the sky is not falling - but make sure you are looking all around you and not just up - problems can come from any direction.
Experience has taught me that it is not always a case of technology being broken. Now grant it we have had those cases but generally speaking what we have seen lately is not technology being broken but technology being poorly leveraged or poorly implemented. Lets take some examples:
- The RSA breach: Why was it as bad as it was? Well someone had left critical data on a networked computer. Is the RSA two factor solution a bad technology - NO! Did the implementation of their infrastructure have some fundamental design/implementation issues - YES.
- The Comodo attack: Is PKI a broken technology - NO! Did Comodo miss some fundamental implementation rules be not having strong multi-factor authentication for their RAs and not having back-end checking for domain use during issuance - It certainly looks like it.
- BEAST: Is SSL/TLS a bad technical specification - fundamentally NO! Have browser, server and other vendors that leverage SSL/TLS done a good enough job in keeping abreast with updates based on enhancements to the specification - obviously NOT!
So what do we learn from this - yes we do need to pay attention to the press, whether it be a trusted blogger or trusted news source. The data that they deliver though is only one piece of the picture so we need to make sure we take that data, add to it and then assess what it means in our personal, corporate or organizational content.
It is an old adage but it is not just technology - you need to consider the people and process around it. That includes education, policy, implementation and all the other elements that make up a good security plan.
So CL you are safe - the sky is not falling - but make sure you are looking all around you and not just up - problems can come from any direction.
Subscribe to:
Posts (Atom)