Alastair MacGibbon – Centre For Internet Safety (University of Camberra)
I have been invited to do an interview with Alastair MacGibbon of Centre For Internet Safety (University Of Canberra) and Brahman Thiyagalingham of SAI Global who is involved in auditing computing service providers for data security compliance.
This interview and the presentation delivered by Alastair which I attended subsequently is about the issue of data security in the cloud-driven “computing-as-a-service” world of information technology.
Cloud based computing
We often hear the term “cloud computing” being used to describe newer outsourced computing setups, especially those which use multiple data centers and servers. But, for the context of this interview, we use this term to cover all “computing-as-a-service” models that are in place.
Brahman Thyagalingham – SAI Global
These “cloud-based computing” setups are in use by every consumer and business owner or manager as they go through their online and offline lives. Examples of these include client-based and Web-based email services, the Social Web (Facebook, Twitter, etc), photo-sharing services and online-gaming services. But it also encompasses systems that are part of our everyday lives like payment for goods and services; the use of public transport including air travel; as well as private and public medical services.
This is an increasing trend as an increasing number of companies offer information solutions for our work or play life that are dependent on some form of “computing-as-a-service” backend. It also encompasses building control, security and energy management; as well as telehealth with these services offered through the use of outsourced backend servers.
Factors concerning cloud-based computing and data security
Risks to data
There are many risks that can affect data in cloud-based computing and other “computing-as-a-service” setups.
The most obvious and highly-publicised risk is threats to data security. This can come in the form of the computing infrastructure being hacked including malware attacks on client or other computers in the infrastructure to social-engineering attacks on the service’s participants.
A clear example of this were the recent attacks on Sony’s online gaming systems like the PlayStation Network. Here, there was a successful break-in in April which caused Sony to shut down the PlayStation Network and Qriocity for a month. Then, a break-in attempt on many of the PlayStation Network accounts had taken place this week ending 13 October 2011.
The attack on data isn’t just by lonely script kiddies anymore. It is being performed by organised crime; competitors engaging in industrial espionage and nation states engaging in economic or political espionage. The data that is being stolen is identities of end-users; personal and business financial data; and business intellectual property like customer information, the “secret sauce” and details about the brand and image.
Other situations can occur that compromise the integrity of the data, For example, a computing service provider could become insolvent or change ownership. This can affect the continuity of the computing service and the availability of the data on the systems. It also can affect who owns the actual data held in these systems.
Another situation can occur if there is a system or network breakdown or drop in performance. This may be caused by a security breach; but can be caused by ageing hardware and software or, as I have seen more recently, an oversubscribed service where there is more demand than the service can handle. I have mentioned this latest scenario in HomeNetworking01.info in relation to Web-based email providers like Gmail becoming oversubscribed and performing too slowly for their users.
Common rhetoric delivered to end-users of computing services
The industry focuses the responsibility of data security for these services on to the end-users of the services.
Typically the mantra is to keep software on end computers (including firmware on dedicated devices) up-to-date; develop good password habits by using strong passwords that are regularly changed and not visible to others; and make backup copies of the data.
New trends brought on by the Social Web
But there are factors that are being undone by the use of the Social Web. One is the use of password-reset questions and procedures that are based on factors known to the end user. Here, the factors can be disclosed by crawling data left available on social-networking sites, blogs and similar services.
Similarly, consumer sites like forums, and comment trees are implementing single-sign-on setups that use credential pools hosted by other services popular to consumers; namely Google, Facebook and Windows Live. This also extends to “account-tying” by popular services so that you are logged on to one service if you are logged on to another. These can create a weaker security environment and aren’t valued by companies like banks which hold high-stakes data.
The new direction
As well, it has been previously very easy for a service provider to absolve themselves of the responsibility they have to their users and the data they create. This has been through the use of complex legalese in their service agreements that users have to assent to before they sign up to the service.
Now the weight for data security is now being placed primarily on the service providers who offer these services to the end users rather than the end users themselves. Even if the service provider is providing technology to facilitate another organisation’s operations, they will have to be responsible for that organisation’s data and the data stream created by the organisation’s customers.
Handling a data break-in or similar incident
Common procedures taken by service providers
A typical procedure in handling a compromised user account is that the account is locked down by the service provider. The user is then forced to set a new password for that account. In the case of banking and other cards that are compromised, the compromised account cards would be voided sot that retailers or ATMs seize them and the customer would be issued with a new card and have to determine a new PIN.
The question that was raised in the interview and presentation today is what was placed at risk during the recent Sony break-ins. The typical report was that the customers’ login credentials were compromised, with some doubtful talk about the customers’ credit-card and stored-value-wallet data being at risk.
Inconsistent data-protection laws
One issue that was raised today was inconsistent data-protection laws that were in place across the globe. An example of this is Australia – the “She’ll Be Right” nation. Compared to the USA and the UK, Australians don’t benefit from data-protection laws that require data-compromise disclosure.
What is needed in a robust data-compromise-disclosure law or regulation is for data-security incidents to the disclosed properly and promptly to the law-enforcement authorities and the end-users.
This should cover what data was affected, which end-users were placed at risk by the security breach, when the incident took place and where it took place
We also raised the issue of what happens if the situation crosses national borders. Here nations would have to set out practices in handling these incidents.
It may be an issue that has to evolved in the similar way that other factors of international law like extradition, international child-custody/access, and money-laundering have evolved.
Use of industry standards
Customers place trust in brands associated with products and services. The example that we were talking about with the Sony data breach was the Sony name has been well-respected for audio-visual electronics since the 1960s. As well, the PlayStation name was a brand of respect associated with a highly-innovative electronic gaming experience. But these names were compromised in the recent security incidents.
There is a demand for standards that prove the ability for a computing service provider to provide a stable proper secure computing service. Analogies that we raised were those standards that were in place to assure the provision of safe goods like those concerning vehicle parts like windscreens or those affecting the fire-safety rating of the upholstered furniture and soft-furnishings in the hotel that we were in during the afternoon.
Examples of these are the nationally-recognised standards bodies like Standards Australia, British Standards Institute and Underwriters Laboratories. As well there have been internationally-recognised standards bodies like the International Standards Organisation; and industry-driven standards groups like DLNA.
The standards we were focusing on today were the ISO 27001 which covers information security and the ISO 20000 which covers IT service management.
Regulation of standards
Here, the government regulators need to “have teeth” when it comes to assuring proper compliance. This includes the ability to issue severe fines against companies who aren’t handling the data breaches responsibly as well as mitigation of these fines for companies who had an incident but had audited compliance to the standards. This would be demonstrated with evidence of compliant workflow through their procedures, especially through the data incident.
As well, Brahmin had underscored the need for regular auditing of “computing as a service” providers so they can prove to customers and end users that they have procedures in place to deal with data incidents.
I would augment this with the use of a customer-recognisable distinct “Trusted Computing Service Provider” logo that can only be used if the company is compliant the the standards in their processes. The logo would be promoted with a customer-facing advertising campaign that promotes the virtues of buying serviced computing from a compliant provider. This would be the “computing-as-a-service” equivalent of the classic “Good Housekeeping Seal” that was used for food and kitchen equipment in the USA,
What I have taken from this event is that the effort for maintaining a secure computing service is now moving away from the customer who uses the service towards the provider who provides the service. As well, there is a requirement to establish and enforce industry-recognised standards concerning the provision of these services.