Introduction

Alastair MacGibbon - Centre For Internet Safety (University of Camberra)

I have been invited to do an interview with Alastair MacGibbon of Centre For Internet Safety (University Of Canberra) and Brahman Thiyagalingham of SAI Global who is involved in auditing computing service providers for data security compliance.

This interview and the presentation delivered by Alastair which I attended subsequently is about the issue of data security in the cloud-driven “computing-as-a-service” world of information technology.

Cloud based computing

We often hear the term “cloud computing” being used to describe newer outsourced computing setups, especially those which use multiple data centers and servers. But, for the context of this interview, we use this term to cover all “computing-as-a-service” models that are in place.

Brahman Thyagalingham - SAI Global

These “cloud-based computing” setups are in use by every consumer and business owner or manager as they go through their online and offline lives. Examples of these include client-based and Web-based email services, the Social Web (Facebook, Twitter, etc), photo-sharing services and online-gaming services. But it also encompasses systems that are part of our everyday lives like payment for goods and services; the use of public transport including air travel; as well as private and public medical services.

This is an increasing trend as an increasing number of companies offer information solutions for our work or play life that are dependent on some form of “computing-as-a-service” backend. It also encompasses building control, security and energy management; as well as telehealth with these services offered through the use of outsourced backend servers.

Factors concerning cloud-based computing and data security

Risks to data

There are many risks that can affect data in cloud-based computing and other “computing-as-a-service” setups.

Data theft

The most obvious and highly-publicised risk is threats to data security. This can come in the form of the computing infrastructure being hacked including malware attacks on client or other computers in the infrastructure to social-engineering attacks on the service’s participants.

A clear example of this were the recent attacks on Sony’s online gaming systems like the PlayStation Network. Here, there was a successful break-in in April which caused Sony to shut down the PlayStation Network and Qriocity for a month. Then, a break-in attempt on many of the PlayStation Network accounts had taken place this week ending 13 October 2011.

The attack on data isn’t just by lonely script kiddies anymore. It is being performed by organised crime; competitors engaging in industrial espionage and nation states engaging in economic or political espionage. The data that is being stolen is identities of end-users; personal and business financial data; and business intellectual property like customer information, the “secret sauce” and details about the brand and image.

Other risks

Other situations can occur that compromise the integrity of the data, For example, a computing service provider could become insolvent or change ownership. This can affect the continuity of the computing service and the availability of the data on the systems. It also can affect who owns the actual data held in these systems.

Another situation can occur if there is a system or network breakdown or drop in performance. This may be caused by a security breach; but can be caused by ageing hardware and software or, as I have seen more recently, an oversubscribed service where there is more demand than the service can handle. I have mentioned this latest scenario in HomeNetworking01.info in relation to Web-based email providers like Gmail becoming oversubscribed and performing too slowly for their users.

Common rhetoric delivered to end-users of computing services

The industry focuses the responsibility of data security for these services on to the end-users of the services.

Typically the mantra is to keep software on end computers (including firmware on dedicated devices) up-to-date; develop good password habits by using strong passwords that are regularly changed and not visible to others; and make backup copies of the data.

New trends brought on by the Social Web

But there are factors that are being undone by the use of the Social Web. One is the use of password-reset questions and procedures that are based on factors known to the end user. Here, the factors can be disclosed by crawling data left available on social-networking sites, blogs and similar services.

Similarly, consumer sites like forums, and comment trees are implementing single-sign-on setups that use credential pools hosted by other services popular to consumers; namely Google, Facebook and Windows Live. This also extends to “account-tying” by popular services so that you are logged on to one service if you are logged on to another. These can create a weaker security environment and aren’t valued by companies like banks which hold high-stakes data.

The new direction

As well, it has been previously very easy for a service provider to absolve themselves of the responsibility they have to their users and the data they create. This has been through the use of complex legalese in their service agreements that users have to assent to before they sign up to the service.

Now the weight for data security is now being placed primarily on the service providers who offer these services to the end users rather than the end users themselves. Even if the service provider is providing technology to facilitate another organisation’s operations, they will have to be responsible for that organisation’s data and the data stream created by the organisation’s customers.

Handling a data break-in or similar incident

Common procedures taken by service providers

A typical procedure in handling a compromised user account is that the account is locked down by the service provider. The user is then forced to set a new password for that account. In the case of banking and other cards that are compromised, the compromised account cards would be voided sot that retailers or ATMs seize them and the customer would be issued with a new card and have to determine a new PIN.

The question that was raised in the interview and presentation today is what was placed at risk during the recent Sony break-ins. The typical report was that the customers’ login credentials were compromised, with some doubtful talk about the customers’ credit-card and stored-value-wallet data being at risk.

Inconsistent data-protection laws

One issue that was raised today was inconsistent data-protection laws that were in place across the globe. An example of this is Australia – the “She’ll Be Right” nation. Compared to the USA and the UK, Australians don’t benefit from data-protection laws that require data-compromise disclosure.

What is needed in a robust data-compromise-disclosure law or regulation is for data-security incidents to the disclosed properly and promptly to the law-enforcement authorities and the end-users.

This should cover what data was affected, which end-users were placed at risk by the security breach, when the incident took place and where it took place

International issues

We also raised the issue of what happens if the situation crosses national borders. Here nations would have to set out practices in handling these incidents.

It may be an issue that has to evolved in the similar way that other factors of international law like extradition, international child-custody/access, and money-laundering have evolved.

Use of industry standards

Customers place trust in brands associated with products and services. The example that we were talking about with the Sony data breach was the Sony name has been well-respected for audio-visual electronics since the 1960s. As well, the PlayStation name was a brand of respect associated with a highly-innovative electronic gaming experience. But these names were compromised in the recent security incidents.

There is a demand for standards that prove the ability for a computing service provider to provide a stable proper secure computing service. Analogies that we raised were those standards that were in place to assure the provision of safe goods like those concerning vehicle parts like windscreens or those affecting the fire-safety rating of the upholstered furniture and soft-furnishings in the hotel that we were in during the afternoon.

Examples of these are the nationally-recognised standards bodies like Standards Australia, British Standards Institute and Underwriters Laboratories. As well there have been internationally-recognised standards bodies like the International Standards Organisation; and industry-driven standards groups like DLNA.

The standards we were focusing on today were the ISO 27001 which covers information security and the ISO 20000 which covers IT service management.

Regulation of standards

Here, the government regulators need to “have teeth” when it comes to assuring proper compliance. This includes the ability to issue severe fines against companies who aren’t handling the data breaches responsibly as well as mitigation of these fines for companies who had an incident but had audited compliance to the standards. This would be demonstrated with evidence of compliant workflow through their procedures, especially through the data incident.

As well, Brahmin had underscored the need for regular auditing of “computing as a service” providers so they can prove to customers and end users that they have procedures in place to deal with data incidents.

I would augment this with the use of a customer-recognisable distinct “Trusted Computing Service Provider” logo that can only be used if the company is compliant the the standards in their processes. The logo would be promoted with a customer-facing advertising campaign that promotes the virtues of buying serviced computing from a compliant provider. This would be the “computing-as-a-service” equivalent of the classic “Good Housekeeping Seal” that was used for food and kitchen equipment in the USA,

Conclusion

What I have taken from this event is that the effort for maintaining a secure computing service is now moving away from the customer who uses the service towards the provider who provides the service. As well, there is a requirement to establish and enforce industry-recognised standards concerning the provision of these services.

Introduction

Between the end of October and the beginning of November, I had a chance to interview people who work with two different companies that work in the consumer audio-video market and had noticed some trends concerning this market and its relevance to the online world.

One main trend was that there was increased focus by consumer-audio manufacturers who work in the popular marketplace on delivering DAB+ digital radio equipment rather than network-connected audio equipment to the Australian market. This may be because some of these firms need to see this technology become more popular here and want to have “every base covered”.

Sony

From my interview with Kate Winney I had observed that Sony had a strong presence in the connected-TV scene. Here, this was more concentrated with their newer “main-lounge-area” TVs but they are providing this functionality on some of their video peripherals, namely their BD-Live Blu-Ray players.

We agreed that Sony had no Internet radio in its product lineup although they implement Shoutcast on their high-end home-theatre receivers like the STR-DA5500ES. But we agreed that they need to make DAB+ available on their stationary “big sets” like hi-fi tuners, receivers, home-theatre-in-box systems and bookshelf audio systems. They are releasing a few DAB+ sets but most likely as stereo systems rather than as portables or components.

I had stressed to Kate about Sony implementing vTuner or a similar directory-driven service which is implemented in most Internet radios. This is because most of these services offer access to the simulcast streams of the government, commercial and community radio stations broadcasting to local countries around the world as well as the Internet-only streams of the kind that Shoutcast offers. It is also because most people who are interested in Internet radio are likely to want to use it as a way of enjoying the “local flavour” of another country that is provided by that country’s regular broadcasters rather than just looking for offbeat content.

Kate also reckoned that DAB+ digital radio needs to be available in the dashboard of cars in the new fleet, preferably as standard equipment or as a “deal-broker” option offered by car dealers for the technology to become popular. I was also thinking about whether Sony should offer DAB+ technology as part of the XPLOD aftermarket car-audio lineup.

Bush Australia

From my interview with Jacqueline Hickman, I had noticed that Bush are still focused on implementing DAB+ digital radio in Australia but are using Internet radio as a product differentiator for their high-end “new-look” sets that are to appeal to young users

Their market focus for consumer audio is on the “small sets” like table / clock radios, portable radios, small-form stereo systems but I have suggested implementing or trying some value-priced “big sets” as product ideas. This is even though they run some “main-lounge-area” TVs and digital-TV set-top boxes in their consumer video lineup.

The ideas I put forward are a DAB+ or DAB+ / Internet-radio tuner that is for use with existing audio equipment and a FM / DAB+ (or FM / DAB+ / Internet-radio) CD receiver with optional speakers. A market that I cited are the mature-aged people who own “classic hi-fi speakers” from 1960s-1980s that they like the look and sound of but may want to run them with a simpler cost-effective component. I had made a reference to the “casseivers” of the late 70s and early 80s which have an receiver and cassette deck in one housing and what these units offered. Jacqui had reckoned that companies like B&O and Bose filled the market but I have said that some of the companies have gone to active speakers rather than integrating power amplifiers in the equipment. As far as the DAB+ tuner is concerned, she suggested that a person could use a portable DAB+ set and connect it to the amplifier using an appropriate cable.

I raised the topic of IPTV but Jackie was not sure whether this will be implemented in any of their TV sets or set-top boxes at the moment. This sounds like a product class that hasn’t been properly defined with a particular standard and platform especially in this market.

Conclusion

It therefore seems to me that there is more interest by consumer-electronics companies in nurturing the DAB+ digital radio system and the DVB-T digital TV system because they are based on established technology and established metaphors; and appeal more to “Joe Six-Pack” than the Internet-based technologies.

Also, I had noticed that it takes a long time for all equipment classes to benefit from a new technology. This is more so with DAB+ digital radio and, to some extent, Internet radio where the mains-operated stationary “large sets” like hi-fi equipment and stereo systems are under-represented.

On Wednesday 3 November, I had been invited by Monique Haylen from Mint PR to have an interview with staff from Brother International at their offices in Macquarie Park. The staff members who I talked to were Heidi Webster (Brand and Marketing Manager, IT and Office Products) and Stephen Bennett (Pre-Sales Technical Support Specialist, Network Printing Solutions).

I raised some general findings and trends that I have observed in the industry since writing this site and they may be of interest to a company like Brother as they develop their products for use in a home or small-business network. One of the reasons I have put these findings forward to them is so they can make their products compete very well in a crowded marketplace.

A3 multifunction inkjet printers

After my review of the Brother MFC-6490CW A3 multifunction inkjet printer, I thought it might be a good time to delve deeply into the future developments of these MFCs.

This class of printer is selling well but is popular mainly with graphic design, CAD and engineering customers who appreciate working with this paper size for their plans and artwork. The architect customers especially appreciate the ability to scan and copy from A3 size mainly as part of submitting their building plans for government approval.

Brother wants to see these machines and the A3 page size used more in the general office space rather than just these vertical markets. The applications that we were talking of include printing up of large spreadsheets as well as using this large page size to turn out promotional material that impresses customers. Heidi even was thinking of the cafe that we were having coffee at and how a cafe or restaurant could print up menus and “specials” lists on this page size.

They intend to implement a survey program amongst the people who have bought the A3 multifunction printers in order to find out how the printers can be “taken further”.

They looked at the usefulness of A3 scanners in these machines but these would be of use primarily to the previously-mentioned vertical markets. They reckon that this function may not see much use in the general office space and may keep the A3 scanner as a product differentiator for some of their high-end models. But they have also said that there is still the desire amongst most users to enlarge material that was originally printed on A4 and print it on A3 paper.

IP-based faxing

I have raised the issue of Internet-based faxing and email-to-print applications but this appears to be a very difficult feature to implement for most small business and home users. This issue is becoming more real as we move towards IP-driven telephony setups like the UK’s 21CN project and Australia’s National Broadband Network that will play havoc with regular fax technology. This technology is designed for the circuit-based telephone setups like the “plain old telephone service” or GSM mobile telephony and Stephen said that businesses who have moved their telephony infrastructure from the orthodox analogue-based setups to all-digital setups have had lots of trouble with their fax systems after the conversion.

The current solution that Brother uses involves the use of T.37 technology which uses regular POP3/SMTP email setups with use of existing mailboxes but the task of setting this up isn’t simple for those of us who aren’t very computer-savvy. Heidi and Stephen raised the idea of implementing a “wizard-driven” setup experience to establish this functionality. They also raised the issue of the IP-based telephony projects providing support for T.38 Internet-fax protocols and I was also thinking of these projects implementing “bridge” setups to link existing fax machines and circuit-based phone networks to this packet-based technology.

The way that they will prepare for the IP-based faxing world would be to integrate PSTN and IP fax functionality in their SOHO and SME network printers when they provide fax functionality.

Implementation of HomePlug powerline networking technology

I have raised the issue of Brother implementing HomePlug powerline networking as a network connectivity method for their printers, like I would do with all the other printer manufacturers who offer network-enabled printers. This is in order to see this network-connectivity technology be considered as an additional or alternative “no-new-wires” connection method.

There is action on this idea in Japan but they will probably release it in to a subsequent generation of printers. Stephen has also raised the issue of connection reliability with Wi-Fi networks that he has encountered through his work, and this could become a valid idea.

I have also raised the possibility of printers that are connected to a wired network being a Wi-Fi access point as an optional function and they have accepted the idea. This includes the concept of a secondary or “infill” access point for difficult setups and I was citing old double-brick houses with extensions, multi-building setups.

Sewing machines being linked to the home network

As I know that Brother also have made and do make sewing machines and similar equipment, I have raised the possibility of integrating this kind of equipment with the home network. This is because, from my observations, most households are implementing home networks whether to provide Internet access to many computers and devices, or to provide wireless Internet access to a laptop computer that is moved around the house very easily. I was targeting this idea at the high-end computerised sewing / embroidery machines that allow a user to design embroidery patterns on their regular computer using manufacturer-supplied software and upload these patterns to the sewing machine so that it can start working on the pattern.

Most such machines directly connect to the host computer as a peripheral using a USB cable. But there are people who don’t want to have the computer, whether a desktop or a laptop unit, in their sewing room. Even if they do want the computer there, they would have to create room near the machine for the computer and this can be very difficult in the midst of a project with all that cloth, all those craft tools and other bits and pieces.

I told Heidi and Stephen about the Silex Stitch-Link device (http://www.silexamerica.com/support/other/stitchlink.html) that uses the USB-over-network technology to link sewing machines to PCs via the Wi-Fi network. Like other USB-over-network devices, this unit requires the user to install special software on their computer and make sure that their host computer “claims” the USB-over-network device in order to establish the link to the peripheral that is connected to the device.

They were interested in this idea especially as a way of endowing more functionality and features to the high-end class of machine. They also saw this on the premise of “if Brother can network-enable their printers, why can’t they network-enable these sewing machines”. I then put forward ideas like integrating Wi-Fi or HomePlug functionality or simply adding an Ethernet socket to the machine for use with an optional HomePlug kit or Wi-Fi client bridge or a simple Ethernet cable.

Conclusion

These issues are likely to help with placing Brother’s position in the home and small-business network for the main device classes that it specialises in.