Information Security in the Real World. Confidentiality, Availability, Integrity, Practicality.

Saturday, 27 February 2010

Sigh... Italian judge makes analogue decision in digital age...

The recent decision by a Milan court to convict three Google executives for violating the privacy of a Down's child whose abuse was posted on YouTube - Google: | Editorial | Comment is free | The Guardian - is depressing but may just be a footnote in history if the Italian government wakes up to its responsibilities under EU law before they have to be reminded. This decision is in violation of recent Eurpoean Law which was specifically drafted to give hosting providers a safe harbour from liability, so long as they remove illegal content once they are notified of its existence, which Google appears to have done, although some are claiming not soon enough.

Whatever, if hosts can be held liable for the content they host then not only do we in the developed and politically stable world lose our favourite work-day pastimes, but the less fortunate in repressive states lose a big tool of democracy. Here's hoping the Italians realise their mistake before less enlightened regimes decide to follow suit.

Friday, 19 February 2010

Buzz lightyears behind?

Google Acknowledges Privacy Issues With Buzz - DarkReading. How disappointing then, that internet giant Google failed so badly to consider security paramount in the design of its new social media app "Buzz". I thought we'd got the message out there, this Homeland Security article was published in 2006 and the mantra "design-in security" goes back far further in the tech community at large.

Google is a great innovator, and the projects they began in-house (their search engine, toolbar and mail service for example) are usually excellent, but with Buzz they seem to be jumping on a bandwagon and doing so too hastily.

While I'm on the subject, Facebook's privacy controls are now an unholy mess. Beware if you use any social media for business, get informed about what you are revealing to the world.

Monday, 1 February 2010

Encourage data security or pay the penalty

The Information Commissioner's office has released details of 800 data security breaches (PDF)reported to it in the last two years. The office is warning that tougher sanctions will follow for organisations that fail to report breaches that subsequently come to light.

Also, the ICO announces in the same press release the increased sanctions applicable to personal data breaches - up to £500,000 for the most serious offences.

Time to review your organiation's handling of laptops and removable media?

In my experience, organisations spend a lot of time and effort on technical data-loss prevention (DLP) solutions while missing the point - that employees don't really want to take data home on a memory stick, but they have no choice. If they were empowered with secure access to their data while away from the office they won't actually need to take anything with them on a thumb drive. Ensure the laptop hard drive is encrypted and protected by a boot-time logon, sure, but if you spend some time and effort on properly enabling remote access to your servers, providing synchronisation and collaboration tools, remote access to e-mail and keep the servers up 24/7 then your employees wil be less inclined to take data home on sticks and disks.

And even more important is connecting your geographically diverse business units. To fail to connect two closely related but separately located departments electronically, such that they have to send CDs to eachother (such as happened in the UK government's child benefit data loss) is just criminal.

Practical security starts with enabling good behaviour through technology, do that and you'll have less bad behaviour to deal with.