Blog posts by Mike Small
There is an old joke that circulated amongst IT professionals during the 1980s – this joke goes as follows. A man goes up to an ATM puts his card in the machine and requests some cash. The machine accepts his card and PIN but doesn’t give out any cash. He goes into the bank and tells a cashier what has happened. The cashier replies – “that’s strange because we just had brand new software installed this morning”. This joke is probably not funny if you bank with RBS in the UK.
I normally write about IT security issues so – why is it that this entry is about managing change. Well - security is about confidentiality, integrity and AVAILABILITY. Good IT security ensures that you have access to the information that you are entitled to whenever and wherever you need it. One of the most frequent causes of non-availability is poorly managed changes. In the world of software – a change is often a change for the worse.
The older the software system the more difficult it is to patch and most of the retail banking systems are very old. The people that originally wrote it may be long gone; the change you are applying is probably on top of many previous changes. You did your best and it looks like it should work but unfortunately you didn’t fully understand the complex interactions that now exist within the program. So you test it, and your test contains all the expected cases plus all the previously detected bugs that have been fixed. However these tests don’t include every possible case and so when it goes live – whoops the impossible happens and the system crashes. If you are lucky this unlikely event only causes minor damage. If you are unlucky – as seems to have been the case with the RBS systems – this unlikely event causes major damage. It becomes the nightmare of IT security: a low probability, high impact event.
Now you have to recover from the problem. Can you roll back the software to the last working version? Are you able to restart or re-run the failed transactions? How can you make sure that you don’t repeat the successfully processed transactions? You need to have planned for all of these contingencies BEFORE you applied the change. You need to have tested your plan BEFORE you applied the change.
Now it may well be that RBS did all that it could and should have done – only a detailed investigation will reveal whether there were avoidable shortcomings. Nevertheless RBS’s experience should be a reminder to all of us in the IT industry to be careful about managing change to IT systems. It shows the need for IT professionals to really understand the impact they have on the business.
The fundamental role of IT within an organization is simple to describe: It must provide the IT services that business requires in the way business wants them – nothing more, nothing less. Unfortunately, many corporate IT departments tend to concentrate more on technology than on the needs of the business. This is a major paradigm shift for many IT professionals. To explain this business led approach to managing IT services KuppingerCole has written a research note "The Future of IT Organizations".
If you were asked to think of an IT security firm perhaps IBM would not be top of the list. However IBM has a significant set of products in this market and it manages the security of its customers’ outsourced and cloud systems, as well as that of its very large internal IT operations. Following the acquisition of Q1 Labs late last year IBM is reorganizing to bring together all the security products under one division. Well large companies are forever re-organizing so why does this change matter? In short this is important because it reflects the increasing level of cyber risk and the recognition of this risk within the boardroom of the organization that are customers of IBM.
Over the past 12 months there have been a number of widely reported cyber-attacks on large organizations and these attacks have been intended to steal information of significant value or to cause commercial damage. The organizations affected include Sony whose PlayStation Network was targeted and the details of 77 million users compromised, RSA has offered to replace the SecurID tokens following a compromise of information relating to those tokens, and according to the Verizon 2012 Data Breach Investigations Report there has been a huge rise in politically motivated attacks. Even the head of MI5, the UK’s internal security and agency, has said it is working to counter “astonishing” levels of cyber-attacks on UK industry. The trend, identified in the Verizon report, is a large increase in data breaches stemming from external agents. So is this a watershed for boardrooms to take an interest in cyber- security?
According to a study conducted using double blind interviews by the IBM Centre for Applied Insights with 138 security leaders, that “while many security organizations remain in crisis response mode, some security leaders have moved to take a more proactive position, taking steps to reduce future risk.”:
- Business leaders are increasingly concerned with [IT sic] security issues.
- Budgets are expected to increase,
- Attention is shifting towards risk management.
- External threats are the primary security challenge.
- Mobile security is a major focus.
- Influencers: those that have business influence and authority – who rank themselves highly in maturity and preparedness.
- Protectors: who recognize the importance of information security – but who lack measurement insight and budget authority needed.
- Responders: who do not have the resources or business influence to drive significant change.
So what about security products? Well IBM has chosen focus at the higher levels of IT security management rather than low level threat protection. The rationale behind this is that threats to organizations are both targeted and persistent. If the threat is blocked in one way the attacker will continue to look for other approaches that bypass the block. Therefore behavioural analysis of what is happening around and inside the organization’s network and systems is a better indicator of an attack in progress, and this often provides the security intelligence needed to counter these threats.
The other area that IBM has focussed on is mobile security. The increasing trend towards BYOD and the proliferation of tablets and other end user devices that can be connected to the corporate network has increased the risks of data loss. Although people value their smartphone they are not careful with them. (According to a study by Plaxo – 19% of people reported that they had dropped their smartphone down a toilet!). When the device is lost the data it contains is often more valuable than the device itself. In the KuppingerCole’s opinion BYOD brings many challenges and the key to mobile security is to start from a data centric position rather than a device centric one. Understand what data you have and then to make sure that you protect it properly. IBM say that their strategy in this area comes from ”following the data” – if so that is good news.
So – in summary – the risk of cyber-threats to organizations is increasing, and it is clear that IT security professionals need to do a better job of explain these risks in business terms. KuppingerCole’s view is that IT Organizations have to adapt to become much more business aware or they will fail. This includes, but is not limited to security challenges. It is good to see IBM is providing a lead in this area.
I just returned from NISC - the National Information Security Conference - held this year in Cumbernauld in Scotland. The theme of this event was “the diminishing network perimeter”. With the advent of smart phones, tablets, Kindles and BYOD, the boundaries between the work and home environment have dissolved so how do you maintain the security of your corporate network? How does this impact on the corporate network, and how much can you put into the cloud?
There were many interesting sessions around this theme and, as well as giving a talk on the Deadly Sins of Cloud computing, I sat on a panel which discussed the diminishing network perimeter.
Amongst the other sessions – one by Dr Simon Shui of HP labs provided an interesting and different perspective on Cloud computing. Dr Shui has been working with Professor David J. Pym at the University of Aberdeen on the subject of “Information Stewardship in the Cloud”. They have developed a series of economic and mathematical models that explore various aspects of the emerging cloud ecosystem. These models allow the exploration of different priorities on information stewardship as well as the relative success of different policies and the attributes or platforms and providers.
I was honoured to be part of a panel, chaired by Gerry O’Neill, which discussed the diminishing network perimeter. In my opinion - the network perimeter is and always was an illusion created as a comfort blanket. We need to get over the idea that the whole organization can somehow be isolated – it can’t. The business perimeter is long gone. What is commodity is outsourced, only what adds value is retained. We need to remember that, in general, IT is now a commodity. In this new world indirect governance now replaces hands on management. This approach is essential when you acquire services rather than produce them yourself. In general internal IT organizations have focussed on how to do it themselves and are not good at indirect governance. For indirect governance to succeed it is important to:
a. Really understand the business requirements (which include need for compliance and risk appetite) b. Understand what data you have and the value of this to your business. c. Base IT architecture, and decisions about how to acquire IT services on these requirements. d. Assess risk and choose risk response on real need rather than theoretical possibilities. e. Make sure that responsibilities are clearly defined and set controls and measure performance against this business need.
We can no longer design IT systems on the assumption that they will be run in-house. We can no longer rely on a notion of a secure perimeter as the basis for IT security. IT systems should be designed to run in whatever location is best from a point of view of cost and risk.
Adopting Cloud computing can save money, but it is important to choose the right Cloud solution for your business need. KuppingerCole have produced a Scenario Report – Understanding Cloud Computing to help you make the right choice.
The Cloud provides an alternative way of procuring IT services that offers many benefits including increased flexibility as well as reduced cost. It extends the spectrum of IT service delivery models beyond managed and hosted services to a form that is packaged and commoditized.
The Cloud is not one thing; it covers a wide spectrum of types of service and delivery models ranging from in-house virtual servers to software accessed by multiple organizations over the internet. For example - an organization can run the IT services in-house – this is the most flexible but usually the most expensive arrangement. It can contract the running of the services through a managed service or hosting agreement; this is less flexible but may be cheaper. Infrastructure as a service provides a commoditized and packaged hosting service – which requires no capital expenditure. A similar spectrum applies to business applications; an organization can develop its own applications, these can be designed to the organization’s exact requirements but is very expensive. It can use commercial applications which are tailored to the organization’s needs; this is usually cheaper but still involves the management and running costs. Software as a Service provides access to a packaged application which is managed and run by the service provider and can be bought on a charge per use basis.
It is important to understand the varieties of Cloud services and deployment models to choose the one most suitable for your needs.
Choose the right type of Cloud service:
Infrastructure as a Service (IaaS) provides basic computing resources that the customer can use to run software (both operating systems and applications) and to store data. IaaS allows the customer to transfer an existing workload to the Cloud with minimal if any change needed. The customer does not manage or control the underlying Cloud infrastructure but remains responsible for managing the OS and applications. IaaS removes the need to buy, house and maintain the physical servers and can provide the ability for an organization to respond quickly to changing demand.
Platform as a Service (PaaS) provides and environment upon which the customer can use to build and deploy Cloud applications. These applications may be for use by the customer or offered as a service to others. Building applications using PaaS means that they are inherently Cloud enabled and the PaaS provider also provides the service upon which these applications run. The benefits include no need for capital hardware investment and rapid deployment. The major downside is “lock-in”; most PaaS platforms are based on proprietary programming interfaces (APIs) and so it can be very difficult to change provider at a later date.
Software as a Service (SaaS) provides an application and data that can be accessed via a network (usually the internet) using a variety of client devices such as web browsers, and mobile ‘phones. The major benefit of SaaS is the immediate availability of a working solution for a specific business problem with no need for up-front investment. This is particularly valuable for areas such as mature business processes which are essential, well understood and need to be delivered at minimal cost. SaaS provides an opportunity for service vendors to offer the best solution to this kind of problem at the lowest cost. The risks associated with SaaS include loss of governance, data privacy issues and return of customer data. Mature business processes are often subject to regulations and laws and organizations have invested heavily in IT to ensure compliance. Using SaaS means devolving control to the SaaS provider and it is essential to have independent confirmation that the provider will comply with the regulatory requirements. The SaaS provider also has control of the business data held by the service. Contracts need to specify how this data will be returned in a useable form at termination of contract to allow business continuity and provide flexibility to switch provider.
Choose the right Cloud deployment model:
Public Cloud services are available for anyone to subscribe to and use. The key benefit of a Public Cloud approach is one of scale; the Cloud provider can potentially offer a better service at a lower cost because the scale of their operation means that they can afford the skilled people and state of the art technology. The Public Cloud model inherently provides service on demand. The Cloud provider can dynamically reallocate resources as they are required. Spreading the service delivery across multiple locations also improves resilience. Local problems with power supplies, telecommunication, natural disasters and so forth can be managed more effectively when there are several data centres in multiple geographies.
The downside of the Public Cloud is the risks of compliance and data security. For example - data privacy laws in the EU mandate that personal data must be processed within defined guidelines. The Cloud service customer is the “data controller” is responsible in law, and needs to ensure that these guidelines are adhered to. Large Cloud providers have recognized this need and can offer compliant services. Sharing applications and infrastructure with unknown co-tenants can lead to concerns over data security and data leakage. There are standards and best practices for this and it is essential to check that the Cloud provider is externally certified as adhering to these.
The UK tax collection body HMRC online tax filing service is Software as a Service with a Public deployment model and this has been praised by the Audit Office, although it unclear whether it provides value for money.
A Private Cloud service is used exclusively by a single organization. The Private Cloud allows organizations to outsource the management of their IT infrastructure while retaining tighter control over the location and management of the resources. The price to pay for this is that the costs are likely to be higher because there is less potential for economy of scale, and resilience may be lower because of the limit on service resources available.
Isolation is one of the key techniques for ensuring security and, while in the Public Cloud applications and data exist in a shared environment, the Private Cloud offers greater isolation by dedicating resources to a particular customer.
A Community Cloud service is for the exclusive use of a specific community of organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). A Community Cloud provides many of the benefits of scale of the public cloud while retaining greater control over compliance and data privacy. Community Cloud services already exist but under a different name! For example NHSmail, the national email and directory service available to UK National Health Service staff in England and Scotland, is effectively Software as a Service with a Community deployment model. As regards security, NHSmail is accredited to Government RESTRICTED status, and is the only NHS email service that is secure enough for the transmission of confidential patient information.
When moving to the Cloud it is important that the business requirements for the move are understood and that the Cloud service and deployment models are selected to meets these needs. Taking a good governance approach, such as COBIT, is the key to safely embracing the Cloud and the benefits that it provides:
- Identify the business requirements for the Cloud based solution. This seems obvious but many organizations are using the Cloud without knowing it.
- Determine the Cloud service needs based on the business requirements. Some applications will be more business critical than others.
- Develop scenarios to understand the benefits and risks. Use these to determine the requirements for controls and questions to be answered. Considering the risks may lead to the conclusion that moving to the Cloud is not appropriate.
- Understand what the certification and accreditations offered by the Cloud provider mean and actually cover and how these support your needs.
- In most organizations Cloud computing will co-exist with other IT service delivery models. Therefore an approach to governance and management is needed which covers both traditional and Cloud models.
For more details on how best to make these choices see the KuppingerCole Scenario report – Understanding Cloud Computing.
Adopting Cloud computing can save money, you need to avoid the seven deadly sins.
The Cloud provides an increasingly popular way of procuring IT services that offers many benefits including increased flexibility as well as reduced cost. It extends the spectrum of IT service delivery models beyond managed and hosted services to a form that is packaged and commoditized. However - many organizations are sleepwalking into the Cloud. Moving to the Cloud may outsource the provision of the IT service, but it does not outsource the customer’s responsibilities. There are issues that may be forgotten or ignored when adopting the cloud computing.
In medieval times the Christian church created the concept of the seven deadly vices to explain the human weaknesses that lead to sins. These are: wrath, greed, sloth, pride, lust, envy and gluttony sometimes known as the seven deadly sins. Of these vices one above all can lead to problems with Cloud computing. The deadly vice of Cloud computing is sloth which leads to inattention to details like:
- Not knowing you are using the Cloud: it is easy to buy a Cloud service using a credit card – your organization may be using the Cloud without you knowing it. When you buy the Cloud service that way it is likely that you have agreed to the terms and conditions set by the provider and these may not be appropriate for your needs. You should to ensure that there is a proper process for obtaining a Cloud service and that this is followed.
- Not assuring legal and regulatory compliance: many organizations have invested heavily to ensure that their internal IT systems comply with the legal and regulatory requirements for their type of business. You need to check that if you move these systems into the Cloud that you will not lose this compliance.
- Not knowing what data is in the cloud: one of the key legal requirements for many organizations is compliance with data privacy laws. These mandate where personally identifiable data can be held and how it must be processed. If you don’t know what data you are moving to the Cloud you could be in trouble. This problem has become more acute because of the explosion in the amount of unstructured data like spread sheets, presentations and documents. It is essential that you identify and classify data you are moving to the Cloud to manage risks and ensure compliance.
- Not managing identity and access to the cloud: controlling who can access what is even more important when data and applications are accessed via the Internet. Managing identity and access remains the responsibility of the customer when the data and application is moved to the Cloud. The best way to achieve this is through the use of identity federation based on standards like SAML and ADFS.
- Not managing business continuity and the cloud: organizations adopting the Cloud need to determine the business needs for continuity of any services and/or data being moved to the Cloud. To support this they should have policies, processes and procedures in place to ensure that theses business requirements are met. These involve not only the Cloud Service Provider, but also the customer as well as intermediate infrastructure such as telecommunications and power supplies.
- Becoming Locked-in to one provider: it is often claimed that the Cloud provides flexibility but how easy is it to change Cloud Service Provider? There are a number of factors that can make changing provider difficult. There may be contractual costs incurred on termination of the service contract. The ownership of the data held in the Cloud may not be clear and return of the data on termination of contract may be costly or slow. When data is returned it may not be in a form that can easily be used or migrated. Cloud services (built using Cloud Platforms, PaaS in particular) may be based on a proprietary architecture and interfaces making it very difficult to migrate to another provider.
- Not managing your Cloud provider: you need to manage your Cloud provider just like any other outsourced IT service provider. This means defining and agreeing metrics via service level agreements and then making sure that these are achieved. You customer may wish to perform an audit of the provider but it may not be practical for the provider to allow every customer to perform their own audit. Certification of providers by a trusted third party is a way to satisfy this need. However it is important to understand what these service organization controls (SOC) reports cover.
Is your location private? If you have installed an App on a smartphone it is almost certain that your location is being tracked. So should you care? Are you giving away details of your movements too cheaply? Is being able to track where your children are a benefit or a risk? To find the answers to these and other questions, on December 12th I attended “A Fine Balance 2011: Location and Cyber privacy in the digital age” sponsored by the UK Knowledge Transfer Network.
The title to this article is taken from the lyrics of a 1983 song by “The Police” that was used as the basis of a talk by Richard Hollis, CEO of Orthus and a director of ISACA. In his talk he explained the business value of geo-location information to increase revenue as well as to reduce cost, and the difficulty individuals have to opt out from having their location tracked. He gave a number of examples of the use of location data including; a US car rental firm that adds an extra charge if the car has exceeded 79mph for a period longer than 2 minutes, and a French company that saved on fraudulent expenses claims by tracking employees’ locations. He also described how he discovered that his new bank debit card contained an RFID chip, allowing the bank to track his presence. When he enquired of all the major UK banks he found that he was unable to opt out from this or find a bank that didn’t use this technology. Hollis believes that companies like Google have made billions of dollars from tracking where you went on the internet and they expect to make more from tracking your physical location. The downside of this data is that it is valuable to criminals; for example knowing you are not at home is valuable to thieves.
Stewart Room, a partner at Field Fisher Waterhouse LLP, outlined the legal basis for privacy. In Europe, the relevant legal framework is the data protection directive (95/46/EC). This applies where personal data are being processed as a result of the processing of location data. The e-privacy directive (2002/58/EC, as revised by 2009/136/EC) applies to the processing of base station data by public electronic communication services and networks (telecom operators).
Location data is defined in the above as being: “any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service”.
Location data is covered by general rules on data protection and can only be processed anonymously or with informed consent. But how informed is the consent that is given? Jonathan Bamford, Head of Strategic Liaison at the ICO described an end user agreement for the use of an App that was over 10,000 words in length. He also reported that the EU Working Party set up under Article 29 of EU Directive 95/46/EC has published a document on this subject: Opinion 13/2011 on Geolocation services on smart mobile devices. He noted that this document states – “Typically, companies that provide location services and applications based on a combination of base station, GPS and WiFi data are information society services. As such they are explicitly excluded from the e-Privacy directive,..” At the end of his presentation the audience was invited to vote on a number of issues including what approach should the ICO take to deal with this emerging problem.
Prof Jonathan Raper then presented his vision for a location data broker. This would provide a service that would securely store data on the location and movements of individuals. It would then only make this information available to other organizations with the consent of the individuals concerned and share any monetary value. It would also be able to provide confirmation of individual’s whereabouts in the case of disputes.
Chris Atkinson, from the UK Council for Child Internet safety, then discussed Safeguarding children’s privacy in social media. She posed the question “are children vulnerable innocents or tech savvie natives?” In the UK 50% of children aged 12-15 own a smart phone in comparison to only 27% of adults. In the EU 1 in 5 9-12 year olds have a profile on Facebook, in spite of there being a requirement to be 13 years or older (due to the US child protection laws). Most of these younger children do it with the help of their parents. 52% of 11-18 year olds are aware of geo-location services and 48% like their friends to know where they are.
At the end of this event I had more questions than answers. Geo-location information on individuals seems to be in widespread use. It is for example, funding the development of Apps and people want the services provided by the Apps but would prefer not to pay for them directly. Online marketing is willing to pay to know where you are and that is fine if it is done lawfully and transparently. I still worry that this geo-location data could be misused and personally I prefer not to knowingly provide it.
For more debate on this subject why not attend the European Identity Conference on April 17-20 in Munich.
If you think that China only manufactures socks – read on to learn how Chinese software and European Cloud expertise plans to deliver ERP and CRM to mid-sized enterprises in EMEA.
On November 8th, 2011 – the European IT services company ATOS and the Chinese software company UFIDA INTERNATIONAL HOLDINGS, LTD. announced the formation of a Joint Venture, YUNANO™ which will address the growing Cloud market in Europe and China, targeting midsize organizations.
UFIDA is a Chinese software company, registered in Shanghai, which was founded in 1988 and has a focus on software for Accounting, ERP, and CRM. It has around 12,000 employees and has R&D centres in Beijing, Nanjing, Shanghai and Shenzhen. YUNANO which in transliteration means “cloud & safe” will be a software company with a focus on delivering ERP and CRM to mid sized enterprises via Software as a Service. The software will be provided by UFIDA and the SaaS delivery will be provided via ATOS using the ATOS Cloud IaaS and PaaS platforms. The target market will be in EMEA and, since one major concern in this market is the location of data to comply with privacy rules, the ATOS infrastructure is located in Europe. The system integration and any process re-engineering necessary will be delivered through local VARs and these are currently being recruited.
Why is the focus on SaaS and mid-sized enterprises? This area is seen to have a very high growth rate. According to research carried out on behalf of the joint venture in house ERP in mid sized enterprises has only around 3% annual growth forecast, while ERP via SaaS annual growth is forecast to be around 90%. This is because of the ease and convenience that the SaaS model delivers to mid sized enterprises – many of which are subsidiaries of larger organizations and already have to contend with multiple complex systems.
So – does YUNANO intend to replace the likes of SAP and Oracle? The answer given is NO! Their focus is to help mid-sized organizations like L’Oreal who are strongly committed to SAP by providing simple and easy to use solution to their needs without replacing the existing systems.
When will the solution be available? The target is for CRM and ERP software to be localized in English, the initial VARs to have been recruited and for the first sales wins to have been achieved by the end of 2012. French and German localization should be available by late 2012 early 2013.
Will this be a success? KuppingerCole will be monitoring this joint venture over the coming months and will provide updates.
Cloud computing provides organisations with an alternative way of obtaining information technology services and offers many benefits including increased flexibility as well as cost reduction. But man many organisations are reluctant to adopt the cloud because of concerns over information security and a loss of control over the way IT services are delivered. These fears have been exacerbated by recent events reported in the press including outages by Amazon and the three-day loss of Blackberry services from RIM. So what approach can be taken to ensure that the benefits of the cloud outweigh the risks?
To understand the risks involved, it is important to understand that the cloud is not a single model. It covers a wide spectrum of services and delivery models ranging from in-house virtual servers to software accessed by multiple organizations over the internet. The risks of the cloud depend upon both the service model and the delivery model adopted. When moving to the cloud it is important that the business requirements for the move are understood and that the service is selected meets these needs. Taking a good governance approach is the key to safely embracing the benefits that it provides. You must identify the business requirements for the solution. This seems obvious, but many organisations are using the cloud without knowing it.
It is wise to determine the service needs based on the business requirements. Some applications will be more business critical than others. And bodies must also develop scenarios to understand the security threats and weaknesses. Use these to determine the response to these risks in terms of requirements for controls and questions to be answered. Considering these risks may lead to the conclusion that the risk of moving to the cloud is too high. Finally, organisations must understand what the accreditations and audit reports offered by the provider mean and actually cover.
The risks associated with cloud computing depend on both the service model and the delivery model adopted. The common security concerns are ensuring the confidentiality, integrity and availability of the services and data delivered through the external environment. Particular issues that need attention include ensuring compliance and avoiding lock-in. To manage risk, an organisation moving to the cloud should make a risk assessment using one of the several methodologies available. An independent risk assessment of cloud computing was undertaken by the European Network Information and Security Agency. It identified 35 risks which are classified according to their probability and their impact. When the risks important to your organisation have been identified, these lead to the questions you need to ask the provider.
I propose the following questions. How is legal and regulatory compliance assured? Where will my data be geographically located? How securely is my data handled? How is service availability assured? How is identity and access managed? How is my data protected against privileged user abuse? What levels of isolation are supported? How are the systems protected against internet threats? How are activities monitored and logged? What certification does your service have?
The service provider may respond to these questions with reports from auditors and certifications. It is important to understand what these reports cover. Note that these reports are based on the statement of the service that the organisation claims to provide - they are not an assessment against best practice. A service organisation may also provide an auditor's report based on established criteria - which cover security, availability, processing integrity, privacy, and confidentiality. A typical auditor's report on a cloud service will simply refer to which of the five areas are covered by the report and it is up to the customer to evaluate whether the principle and criteria are appropriate for their needs.
Cloud Computing can reduce costs by providing alternative models for the procurement and delivery of IT services. Although, organisations need to consider the risks involved in a move to the cloud. The information security risks associated depend upon both the service model and the delivery model adopted. The common security concerns of a cloud computing approach are maintaining the confidentiality, integrity and availability of data. The best approach to managing risk is one of good IT governance, covering both cloud and internal IT services.
Originally published at PublicServiceEurope.com
The UK National Identity Card ceased to be a valid legal document on 21 January 2011. What does this mean for e-Government in the UK? In October 2010 Martha Lane Fox – the founder of Lastminute.com and UK Government’s digital champion – delivered a report on delivering government services via the web. As a result of this report the Right Honourable Francis Maude, the minister responsible, launched a study “Ensuring Trust in Digital Services” through the Technology Strategy Board. On October 31st, 2011 I attended a series of presentations and demonstration describing the results of this study. This is not a new idea and Professor Brian Collins – who chaired the sessions – reminded us that these issues have been under discussion since the 1990's and that papers published then are still relevant! More recently the Foresight Cyber Trust and Crime project covered areas including identity and authenticity. Francis Maude introduced the session with the statement that "if a government service can be delivered online it should be delivered online, and achieving this depends upon identity". He confirmed that the UK Government will not deal with the question of citizen online identity through a centralized ID repository or ID card. Rather it will depend upon private sector services for identity assurance. For this to be successful it depends upon technology and market drivers. Identity federation technology has been around for nearly ten years (the S2ML standard – the precursor of SAML - was first ratified by OASIS in November 2002). The real issue is to identify the commercial drivers that will make this practical. As a result the government has earmarked £10M pound to support this strategy because it is seen as essential to enable the government to save money as well as improve services. David Rennie – the Cabinet Office Lead for the ID Assurance programme – described the challenges. These include the problems of trust, the registration overhead, fraud, the security arms race and the need to limit the propagation of personal data. The solution must be customer centric, decentralized and based on standards allowing collaboration. Identity assurance provides a means of improving the customer experience while mitigating risks of fraud. For it to work it also depends upon governance, certification and dispute resolution which must be doen by the governement. The challenges of ID assurance extend beyond the identity of the individual. Joan Wood – Director, Online Services & Digital Development at HMRC (the UK Tax authority) described the need to support businesses and business intermediaries as well as individuals. Employers and payroll service providers report data on payments made to individuals as well as their tax deducted at source. Financial services organizations make tax returns on behalf of individuals as well as companies, and all of these use cases need to be accounted for. Currently, on January 31st – the deadline for filing tax returns – the HMRC Web Site is the 3rd busiest in the world processing 0.5 million submissions. Mike Bracken – Executive Directory, Government Digital Services and identity - explained the benefits to the government of the programme. In one year the UK Government call centres received 690m telephone calls at a cost of £6.28 per call. It is estimated that 150m of these calls were due to failed online transactions – so improving online services could lead to massive savings. But what's in it for the identity services providers and what liabilities would they incur? Mr Bracken replied that these issues were being discussed with potential organizations. One of the demonstrations at the event was from EnCoRe – “Ensuring Consent and Revocation”. This demonstration addressed the challenge of securely aggregating personal information while ensuring privacy. The example being to allow an individual to obtain a parking permit online. This process currently requires an individual to visit local government offices armed with paper information. To obtain the parking permit the person needs to prove they are who they are – this involves the DWP government department who can confirm the person’s NI number (social security number). Then the person’s address needs to be confirmed through various sources – usually a recent utility bill or local tax payments. The relationship between the vehicle the person and the address needs to be confirmed through the Driver and Vehicle Licensing Agency. All of this need to be achieved in a way that the aggregated information about the person is not revealed but allowing a subsequent allegation fraud to be investigated. So far so good – but how do recent events like the DigiNotar and RSA hacks impact on these aims? Both of these events showed that identity providers are not immune from advanced persistent threats. If one individual has their identity stolen it is a problem for that individual, if an identity provider is compromised it is a major disaster for everyone who relies on it. In the case of DigiNotar – it is believed that the faked certificates were used to intercept the online activities of Iranian citizens . This makes issues like aggregation of personal data pale into insignificance. It has also created an enormous cost for the Dutch government whose websites relied upon the certificates issued by this authority. In the case of RSA – the cost has been to its reputation and the need to offer a replacement Secure-ID token to their entire user base. So being an identity provider has its risks and if the government relies on third parties it may end up picking up the pieces when things go wrong. This is a very interesting programme and with the first deliveries expected in 2012/2013. KuppingerCole's opinion is that it is best to architect systems to avoid any single point of failure – and this applies to identity assurance. A good approach is one of versatile authentication. Here the authentication demanded depends upon the risk assessed at the time the transaction is being requested. So a low value transaction being requested from a known mac address at its usual IP address is viewed as being lower risk than a high value transaction being requested from an abnormal geographical location and an unusual computer. In the latter case the authentication system would require additional verification of the identity of the requestor (preferabley from an alternate ID provider). Security must be designed in such a way that it does not depend on a single entity. How this could be solved on the Internet is the real challenge for ID Assurance.
WHAT HAPPENED? On July 19th, Rupert Murdoch, proprietor of one of the world’s largest news organizations News International, apologized for phone hacking by reporters at the News of the World, and is quoted as saying “this is the humblest day of my life” to a committee of MP’s in London. What does this teach us about information governance?
On Sunday July 10th, 2011 the News of the World published it last edition. This paper had been publishing for 168 years and was the top selling Sunday newspaper in the UK. The closure came following revelations of how the newspaper had allegedly obtained personal information using illegal methods such as phone hacking. The News of the World had a long history of exposing corruption in business and politics as well as the personal scandals of celebrities. It had been very effective at finding and revealing many stories of wrongdoing and corruption with a genuine public interest. However the events leading up to the closure began in 2005 when the News of the World published details of Prince Williams’s health. These details could only have originated from mobile ‘phone messages having been intercepted and this led to a police investigation. Two years later, a reporter working for the newspaper and a private investigator were sent to prison for phone hacking. It was reported that the pair were considered to have been acting alone, and the investigation ended.
Over a period of time it emerged that the ‘phones of further prominent people had been hacked. Then there were allegations that the lists of ‘phone numbers included those of victims of crime and including victims of the 7/7 London bombing.
This led to the re-opening of the police enquiry and an enquiry by a committee MP's.
WHAT IS THE PROBLEM? News International is an organization that employs 53,000 people around the world – so how can one newspaper that made up less than 1% of the organization have led to such trouble? When MP Alan Keen asked: “It became clear from the first couple of questions to you Rupert Murdoch, that you'd been kept in the dark quite a bit on some of these real serious issues, is there more?” Rupert Murdoch replied: “Nobody kept me in the dark, I may have been lax in not asking, but [the News of the World] was such a tiny part of our business.”
So how could it be that Mr Murdoch did not know? Clearly some people believe that the man at the top should take responsibility for everything that happens. But should someone at the top of an organization of this size be expected to monitor every employee, or is there a better way? I believe the answer lies with better governance.
Firstly - it is difficult to understand how anyone could believe that obtaining the information described above can be explained as being legal because it is in the public interest. Secondly the fact that reporters and investigators were able to get hold of some of the information raises the question of how well the information was being cared for by organizations that held it. So - I beleive that the problem is one of information governance.
INFORMATION GOVERNANCE Governance sets the framework within which an organization operates, it sets the ethical tone. It sets the policies and the organizational structure needed to ensure the execution of the strategic goals. With good governance misdeeds are prevented, or at least detected earlier, and processes are in place to ensure proper communication from the management to the staff and gives transparency of what is happening to the board.
Balancing the rights of individual privacy against the need for a free press is not easy. However all organizations need to take care of the information they hold and ensure that they comply with laws and best practice. The best approach for this is one of information governance. Information governance sets the policies, procedures, practices and organizational structures that ensure that information is legally obtained and properly managed. Good governance ensures that there is a consistent approach to risks and compliance across different lines of business and multiple laws and regulations. It can reduce costs by avoiding multiple, ad hoc, approaches to compliance and risk management.
Organizations with good information governance will know what information they hold and will have a process for training staff on how to legally obtain information and to keep this information secure.
CONCLUSION Organisations that collect information on individuals, even the news media, need to make sure that they behave ethically and comply with privacy legislation. Organizations that hold information on individuals need to take care that this information is handled properly and that staff are trained to detect and resist unauthorized attempts to get hold of this information. Basically this is down to good information governance.
Get access to the whole body of KC PLUS research including Leadership Compass documents for only €800 a year
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]