Friday, November 15, 2013

A Crisis of Confidence Costs Real Money

Updated October 5, 2015

---

Updated November 18, 2013

Where does Marissa Mayer (Yahoo CEO) stand on security?  See for yourself.

---

Original Post November 15, 2013

All too frequently the public is surprised how their electronic personal information is shared or used by online service providers and governments.  Service providers contend disclosure policies are clearly described in terms of service and require acceptance by users prior to use.  Governments claim unfettered secret access to personal data is required to protect a nation.  Whatever the reasons, it's clear personal information is often the victim of progress.

Strong security programs are useful to protect assets against abuses and communicate confidence.  But security programs are ineffective preventing intentional privacy abuses and most terms of service are not useful for managing anyone's expectations.  A concrete example, secure browser connections and strong passwords do nothing to prevent service providers from using photos of you to sell products to your friends.  Or providing information without your knowledge to governments.  Many terms of service cover these subjects softly, if at all, with any salient points buried deep in pages of legal chaff.  Most people trust security controls too much and don't scrutinize the wordplay of service terms enough.  The combination of security controls and terms of service is designed to place privacy concerns to rest and claim plausible deniability when they erupt publicly. 

Lately businesses are learning security is more than a confidence game, a strong security program must be executed with integrity.  And not only businesses, but government agencies must operate without even the slightest perception of impropriety with full transparency and accountability in everything they do.  Clearly this is not happening today but what is the result?  The online publication Quarts reported, "Cisco's disastrous quarter shows how NSA spying could freeze US companies out of a trillion-dollar opportunity".  Jeopardizing world confidence in technology is costly in an information driven economy.   Without strong, immediate, and public actions the cost of business operations will increase significantly.

"Forcing service providers to keep data within each countries national boarders sets a precedent for destruction of the cloud services model across the globe."

Thinking beyond the questions of whether the National Security Agency (NSA) is acting in the best interest of Americans or even which stories may be true.  Public news stories about alleged NSA behavior are impacting revenues of the worlds largest multinational corporations.  Recently Bloomberg reported possible new requirements from the government of Brazil, "...Google and other providers of online services to keep local-user information in data centers within the country".  In Brazil's case, lack of confidence in Google's ability to ensure the privacy of end-user data from the US government fuels mistrust.  Without restoring confidence in government checks and balances, it's likely other nations will require their countries data not leave their borders as well.  Forcing service providers to keep data within each countries national boarders sets a precedent for destruction of the cloud services model across the globe.

On October 31, 2013 in a letter to a senate subcommittee, AOL, Apple, Facebook, Google, Microsoft, and Yahoo called for, "...critical reforms that would provide much needed transparency and help rebuild the trust of Internet users around the world".   I suspect we will see some reforms soon.  While improvements may be born out of negative impact to business change is also likely to provide benefits to individuals broadly.

--Milton

* Photo Kitty Goggles, artist unknown

Tuesday, November 5, 2013

OWASP AppSec USA NYC 2013

AppSec USA 2013 (@appsecusa) security conference is right around the corner.  Oracle's Chief Security Officer, Mary Ann Davidson (@heenaluwahine), is presenting a keynote.  For anyone attending and interested, I'm also providing a session on Java security, "Making the Future Secure with Java".  Feel free to send me a tweet(@spoofzu) if your attending.
 

Share It!