Tag: software-as-a-service

Avoiding a mess-up with your small business’s or community organisation’s IT

Lenovo ThinkPad Helix 2 connected to Wi-Fi hotspot at Bean Counter Cafe

Make sure you know where you stand with your small business’s or community organisation’s IT software and services

A very common situation that can come about with a small business that is starting out or a community organisation that is running with a handful of core volunteers is that you can end up with a messy information-technology situation.

Typically this happens because the people who are behind the organisation typically buy the hardware, software and services out of their own pocket, assuming that the organisation is running on the “smell of an oily rag” with very minimal funds. This situation affects organisations in the religious, charitable or voluntary sector where they want to spend as little on office-related or capital expenses as possible so the money that comes in is focused on the organisation’s raison d’etre.

What can happen especially with software is that the it ends up being licensed in the name of the contributor or volunteer while a service like Web-site hosting and domain-name renewal is paid out of a member’s or volunteer’s personal funds and managed in the name of that member. In the case of operating systems or other software that are furnished with donated computer hardware, the software can also be licensed in the name of the donor rather than the beneficiary and no procedure takes place to technically and legally transfer this ownership.

Then you can end up with issues like software piracy and non-compliance or a service being paid for by someone who has left the organisation then you don’t know where that service is going or whom the computer software should be in the name of. You also have the issue of where the organisation legally stands when it come to using the service and this can also place the continuity of that service in doubt.

Do you know the organisation’s legal entity?

Here, you have to know how the business or organisation is legally referred to and represented. This includes a business, company or other legal name that represents the organisation as well as its trading or other “public-facing” name. Typically, the organisation’s legal name may be written out in any stationery associated with its bank account.


Make sure that any software that the organisation uses is bought in the name of the organisation, If someone wants to donate a program to the organisation, they need to either donate the program’s value to the organisation as cash through the normal paths like a church’s offering plate or basket. Or they could buy the software as an unencumbered package using their funds and hand the software package over to the organisation.

Some “buy and download” software providers may allow you to register a copy of the software in one name while allowing you to pay using a credit card or PayPal account in a different name. This measure is typically provided to allow one to give the software as a personal gift.


Increasingly business IT is being focused towards the purchasing of services like Web hosting, domain names and the like, with a an increasing amount of IT functions like software suites being sold “as a service”. Typically this involves someone having to pay for the service on a regular basis.

Payment for the services

What these organisations can do is to maintain a business debit card based on a major payment-card platform and drawing from the organisation’s funds. The organisation adopts strict usage and accounting procedures with establishing payments using this card and uses it primarily for paying for business services that can only be paid with a major payment card. On the other hand, they could make sure that the service they want to engage can accept a standing direct-debit order as the payment method. Anyone who wishes to donate the cost of a service could do so through a cash payment to the organisation in the usual payment path.

Whose name is the service under?

As for these services, make sure that they are registered or set up in the name of the organisation. For example, a domain name’s WHOIS data must reflect the name of the organisation and whoever is in executive position. For organisations who have a home as their office, it may be better to supply a mailing address like a PO box or a mail-drop; or use the shopfront’s address as a mailing address if they do operate a long-term physical shopfront.

Login details and user accounts

All login details like usernames and passwords associated with these services have to be known to authorised personnel currently in that organisation. This could be achieved through either a paper document or electronic-form document file that is on a USB memory key which has to be kept in safe storage on the organisation’s premises like a safe. Here, you could use a “secure” USB memory key which uses encryption and password security for this purpose and keep the password for that in a separate envelope. This list of passwords needs to be updated every time these passwords are changed and they should be changed regularly such as whenever people leave the organisation.

You may find that it is better to use multiple user accounts for these services so you can add and remove users easily and allow these users to determine their login parameters. The multiple-user-account setup also gives you the benefit of limiting what privileges a user’s account has, so that the privileges reflect the expected job function for the account-holder But the administrator password for these services needs to be kept on the above-mentioned organisational password list that is to be kept in safe storage.

Similarly, you may find that the multiple-user-account setup that a service uses may work with single-sign-on so that the credentials are verified with a third-party platform like Microsoft.com, Google or Facebook with the service receiving the “all-clear” in the form of a token. This may be OK to pursue if the employee or volunteer agrees to using the account associated with one of these platforms as part of single sign-on.


Once your small business or community organisation has their software and services properly under their own umbrella, they can make sure that they know where it stands through the life of the software and services rather than dealing with a dog’s breakfast.

Interview and Presentation–Security Issues associated with cloud-based computing


Alastair MacGibbon - Centre For Internet Safety (University of Canberra)

Alastair MacGibbon – Centre For Internet Safety (University of Camberra)

I have been invited to do an interview with Alastair MacGibbon of Centre For Internet Safety (University Of Canberra) and Brahman Thiyagalingham of SAI Global who is involved in auditing computing service providers for data security compliance.

This interview and the presentation delivered by Alastair which I attended subsequently is about the issue of data security in the cloud-driven “computing-as-a-service” world of information technology.

Cloud based computing

We often hear the term “cloud computing” being used to describe newer outsourced computing setups, especially those which use multiple data centers and servers. But, for the context of this interview, we use this term to cover all “computing-as-a-service” models that are in place.

Brahman Thyagalingham - SAI Global

Brahman Thyagalingham – SAI Global

These “cloud-based computing” setups are in use by every consumer and business owner or manager as they go through their online and offline lives. Examples of these include client-based and Web-based email services, the Social Web (Facebook, Twitter, etc), photo-sharing services and online-gaming services. But it also encompasses systems that are part of our everyday lives like payment for goods and services; the use of public transport including air travel; as well as private and public medical services.

This is an increasing trend as an increasing number of companies offer information solutions for our work or play life that are dependent on some form of “computing-as-a-service” backend. It also encompasses building control, security and energy management; as well as telehealth with these services offered through the use of outsourced backend servers.

Factors concerning cloud-based computing and data security

Risks to data

There are many risks that can affect data in cloud-based computing and other “computing-as-a-service” setups.

Data theft

The most obvious and highly-publicised risk is threats to data security. This can come in the form of the computing infrastructure being hacked including malware attacks on client or other computers in the infrastructure to social-engineering attacks on the service’s participants.

A clear example of this were the recent attacks on Sony’s online gaming systems like the PlayStation Network. Here, there was a successful break-in in April which caused Sony to shut down the PlayStation Network and Qriocity for a month. Then, a break-in attempt on many of the PlayStation Network accounts had taken place this week ending 13 October 2011.

The attack on data isn’t just by lonely script kiddies anymore. It is being performed by organised crime; competitors engaging in industrial espionage and nation states engaging in economic or political espionage. The data that is being stolen is identities of end-users; personal and business financial data; and business intellectual property like customer information, the “secret sauce” and details about the brand and image.

Other risks

Other situations can occur that compromise the integrity of the data, For example, a computing service provider could become insolvent or change ownership. This can affect the continuity of the computing service and the availability of the data on the systems. It also can affect who owns the actual data held in these systems.

Another situation can occur if there is a system or network breakdown or drop in performance. This may be caused by a security breach; but can be caused by ageing hardware and software or, as I have seen more recently, an oversubscribed service where there is more demand than the service can handle. I have mentioned this latest scenario in HomeNetworking01.info in relation to Web-based email providers like Gmail becoming oversubscribed and performing too slowly for their users.

Common rhetoric delivered to end-users of computing services

The industry focuses the responsibility of data security for these services on to the end-users of the services.

Typically the mantra is to keep software on end computers (including firmware on dedicated devices) up-to-date; develop good password habits by using strong passwords that are regularly changed and not visible to others; and make backup copies of the data.

New trends brought on by the Social Web

But there are factors that are being undone by the use of the Social Web. One is the use of password-reset questions and procedures that are based on factors known to the end user. Here, the factors can be disclosed by crawling data left available on social-networking sites, blogs and similar services.

Similarly, consumer sites like forums, and comment trees are implementing single-sign-on setups that use credential pools hosted by other services popular to consumers; namely Google, Facebook and Windows Live. This also extends to “account-tying” by popular services so that you are logged on to one service if you are logged on to another. These can create a weaker security environment and aren’t valued by companies like banks which hold high-stakes data.

The new direction

As well, it has been previously very easy for a service provider to absolve themselves of the responsibility they have to their users and the data they create. This has been through the use of complex legalese in their service agreements that users have to assent to before they sign up to the service.

Now the weight for data security is now being placed primarily on the service providers who offer these services to the end users rather than the end users themselves. Even if the service provider is providing technology to facilitate another organisation’s operations, they will have to be responsible for that organisation’s data and the data stream created by the organisation’s customers.

Handling a data break-in or similar incident

Common procedures taken by service providers

A typical procedure in handling a compromised user account is that the account is locked down by the service provider. The user is then forced to set a new password for that account. In the case of banking and other cards that are compromised, the compromised account cards would be voided sot that retailers or ATMs seize them and the customer would be issued with a new card and have to determine a new PIN.

The question that was raised in the interview and presentation today is what was placed at risk during the recent Sony break-ins. The typical report was that the customers’ login credentials were compromised, with some doubtful talk about the customers’ credit-card and stored-value-wallet data being at risk.

Inconsistent data-protection laws

One issue that was raised today was inconsistent data-protection laws that were in place across the globe. An example of this is Australia – the “She’ll Be Right” nation. Compared to the USA and the UK, Australians don’t benefit from data-protection laws that require data-compromise disclosure.

What is needed in a robust data-compromise-disclosure law or regulation is for data-security incidents to the disclosed properly and promptly to the law-enforcement authorities and the end-users.

This should cover what data was affected, which end-users were placed at risk by the security breach, when the incident took place and where it took place

International issues

We also raised the issue of what happens if the situation crosses national borders. Here nations would have to set out practices in handling these incidents.

It may be an issue that has to evolved in the similar way that other factors of international law like extradition, international child-custody/access, and money-laundering have evolved.

Use of industry standards

Customers place trust in brands associated with products and services. The example that we were talking about with the Sony data breach was the Sony name has been well-respected for audio-visual electronics since the 1960s. As well, the PlayStation name was a brand of respect associated with a highly-innovative electronic gaming experience. But these names were compromised in the recent security incidents.

There is a demand for standards that prove the ability for a computing service provider to provide a stable proper secure computing service. Analogies that we raised were those standards that were in place to assure the provision of safe goods like those concerning vehicle parts like windscreens or those affecting the fire-safety rating of the upholstered furniture and soft-furnishings in the hotel that we were in during the afternoon.

Examples of these are the nationally-recognised standards bodies like Standards Australia, British Standards Institute and Underwriters Laboratories. As well there have been internationally-recognised standards bodies like the International Standards Organisation; and industry-driven standards groups like DLNA.

The standards we were focusing on today were the ISO 27001 which covers information security and the ISO 20000 which covers IT service management.

Regulation of standards

Here, the government regulators need to “have teeth” when it comes to assuring proper compliance. This includes the ability to issue severe fines against companies who aren’t handling the data breaches responsibly as well as mitigation of these fines for companies who had an incident but had audited compliance to the standards. This would be demonstrated with evidence of compliant workflow through their procedures, especially through the data incident.

As well, Brahmin had underscored the need for regular auditing of “computing as a service” providers so they can prove to customers and end users that they have procedures in place to deal with data incidents.

I would augment this with the use of a customer-recognisable distinct “Trusted Computing Service Provider” logo that can only be used if the company is compliant the the standards in their processes. The logo would be promoted with a customer-facing advertising campaign that promotes the virtues of buying serviced computing from a compliant provider. This would be the “computing-as-a-service” equivalent of the classic “Good Housekeeping Seal” that was used for food and kitchen equipment in the USA,


What I have taken from this event is that the effort for maintaining a secure computing service is now moving away from the customer who uses the service towards the provider who provides the service. As well, there is a requirement to establish and enforce industry-recognised standards concerning the provision of these services.