April 19, 2013 1 Comment
OK the title got you this far, so what has Toilet Paper and Tea bags got to do with Security? There is a genuine point to it, please read on …..
Following a recent Cloud Computing event I found myself increasingly alarmed by the prevalence of red herrings being thrown around by vendors with respect to how their solutions and or products solved Cloud security issues when in fact they did little more than try to address them individually at best.
The reality is that DATA must be exposed to the software we use to orchestrate it, be that photo’s in Photoshop, a Document in Microsoft Office Word or a record in a database or a record spread across multiple databases. That is where the issue lies in the exposure of Data. The challenge is how we protect that which is of true value. No longer the network boundary, but protecting the DATA, wherever it goes, however it is being accessed, regardless of its form factor. Not how a software solution can provide a secure environment in which to process data, albeit an important factor, it is not a solution in itself.
Bring on the day when data in its raw form is encrypted and the owner can manage that encryption with convenience and ease whilst ensuring complete control over whom they elect to share any part of that data set with. Imagine being able to share data and attach an expiry date, or revoke data usage at will (regulatory retention aside) instead of having to go through lengthy protracted third party information disclosure requests, which even then are often questionable in their accuracy.
What is appealing about this concept is the reality that it places the control of data back into the hands of the individual. The individual or corporation can then dictate whom, when and for how long they share their data. It opens up possibilities like levying a micro payment charge in cases where that data sharing has a commercial value transfer to any benefiting third party. Assuming a trusted platform that can orchestrate this according to a set of user defined sharing rules (policies), such micro payments would soon add up to reasonable sums of money when considering the current spread of personal data. Sadly we are currently a long way from that Holy Grail. It would certainly sober up the Internet Corporatocracy (Facebook, Twitter, Google and their ilk) of this world who have been building personal value by gorging themselves dining at the Internet table of free data. Their addiction to the concept of free data will I suspect see little support from that quarter for such a solution.
Data security software solutions and products largely address a single issue and do not materially protect the critical payload in transit, rest and during its consumption. The payload being none other than data and the information that is ‘data’.
Erosion of privacy through data seepage into the public domain out with owner’s control or intent is an issue of paramount importance and at a corporate and enterprise scale the exposure and risk grows exponentially. On a private individual level that is often of singular concern, attitudes towards privacy of data influenced largely through the Social Media behavioural contagion, massaged by the Internet’s Corporatocracy, who work hard at breaking down the principles of privacy for self-interest. At some point the Social Media lemmings of the world will wake up to find themselves victims of ‘The Emperor’s New Clothes’, loss of privacy and control of one’s personal data is a sorrowful state of affairs many will have to come to terms with. Reminds me of the immortal words ‘For fools rush in where angels fear to tread’ from the poem ‘An essay on criticism’ by Alexander Pope, or for the more contemporary and more poignantly named song ‘Jokerman’ by Bob Dylan.
I digress, Social Media aside, the simple acts of transmitting and collaborating on information present the largest risk surface area(s) for data compromise. Surfaces that are being built out faster than ever before with the boom in personal / portable compute devices (PCD’s) be that a smartphone, tablet, laptop or the next gadget that gets christened off a keyboard with a stuck ‘i’ key!
For every collaborative event requires a transmission of data, and such events are infrequently constrained within Local Area Network (LAN) but at some point transit a public fixed or wireless network (Internet) exposing or depositing data en-route as well as compute devices out with any structured realm of control. Increasingly the securing of the communication conduit is addressed using HTTPS (Hypertext Transfer Protocol Secure), an encrypted transmission that secures data in transit. But that is only part of the exchange process, and one that has had its security reliability tested and questioned, with early iterations of its underlying protocol having been hacked, ref; Infoworld Article ‘HTTPS has been hacked’. So far we have secured the trickiest part of the information exchange to compromise, the transmission, leaving the easiest, the PC and or Server, available and ready to be compromise. An email attachment click away and data on any unsuspecting PCD regularly falls victim to malware.
This gives a false impression of security, rarely are the end points to a data exchange, the PC, Servers or PCD’s similarly encrypted. But it is not JUST end points is it. Every device en-route between exchanging parties holds the data be it for milliseconds or in some cases longer. A veritable pass the parcel where, Data is cached and stored in a myriad of places, where the parcel is little more than a colander raining data and the information life blood of companies and individuals into the public domain.
A recent study released by Team Cymru reveals that hackers misappropriate more than 1TB of data daily from corporate networks alone. If they can do that from corporate systems what hope is there for the Silver Surfers (60+ generation), one of the fastest growing use bases on the internet today. This is not an isolated issue either. With a global population of Zombie computers in the millions the bad guys capacity to leverage compute power with malicious intent outnumbers the good guys. Moving briefly off theme a bit, the escalation of this power was clearly demonstrated recently with the 300GB Distributed Denial of Service (DoS) attack on Spamhaus ‘When spammers go to war: Behind the Spamhaus DDoS’. This was a x6 increase on the previously largest recorded DoS attack of 50GB. At this scale of escalation attacks are having a collateral impact affect beyond the targeted systems. Subject for a future article I would hazard.
Back on theme, we have all heard of ‘Data Security’, but as a term its use is more often not a full truth. As with the data in transit example above, data security is subjective when it needs to be objective. The security that vendors address today is addressing an environmental state that the data is not persisting in, or not persistent in for long. Securing the protocol’s that we communicate data through, or the servers, datacentres, PCD’s that we store data on or the software applications with which we orchestrate our data, is not true ‘DATA’ security. Access to any of these environments, whether authorised or not, means data can readily be harvested, and believe me it is and most of you will not even know it is happening off your own computers.
I feel like shouting in frustration sometimes – it’s in the name ‘DATA’ security, so secure the DATA itself, as I have blogged before ‘Data Security – It’s in the Name!‘ OK good that you secure the other servers, datacentres, PCD’s or software application assets but what about the DATA! I am not proposing we stop securing servers, datacentres, PCD’s and software application, but their security is addressing THEIR security profile and the DATA security is largely by association only. As we currently deal with security at the server, datacentre, PCD and software application level we create security silo’s that require gatekeeping. Thus the cracks start to appear and data fall’s through or the hacker sneaks in, every other which way the data is exposed to higher risk and the prospect if not likelihood of compromise.
Now throw into the mix the structural nature of Cloud Computing architectures and its fastest growing method of interfacing systems with the use of Web/Cloud services. A Web or Cloud service being little more than a traditional API (Application Programming Interface) exposed to a public network. Designed to link disparate systems to deliver richer and often more real time functionality at scale and with collaborative resources unattainable until now to single organisations. Web/Cloud Services live for data exchange and data retention follows hard on the heals of those exchanges between API exposed entities. API’s = more joins and cracks, not to mention interactions to be audited and jurisdictions that will be challenging to reach into to audit and truly validate Service Level and or compliance. This is no scare tactic, I work with programmers every day, and these are some of the smartest guys around, but they are human, and ‘humanum est errare’ (it is human to err).
With an Industry average of “about 15 – 50 errors per 1,000 lines of delivered code” Quote Steve McDonnell from his book ‘Code Complete’ (2nd Edition. Redmond, Microsoft Press, 2004. 960 pages. ISBN), there is an inevitable high risk in API’s, they are just code after all. Yes errors can be ironed out, but the effort is often not commercially viable. For example only after using extensive format development methods, peer reviews, and statistical testing did the space-shuttle project achieved a level of 0 defects in a random sample of 500,000 lines of code. The ‘Cleanroom Development’ technique pioneered by Harlan Miles achieves consistent rates as low as 3 errors per 1,000 lines of code (Cobb and Mills 1990), so there are no easy options. All said and done commercial realities turn this into a real concern, the cost of this diligence means API’s will not all be tested to such robustly high quality levels as the space shuttle which means there are errors, and where there are errors there will be means to an end for hackers:
- Insecure API Implementations Threaten Cloud
- Web Services Single Sign-On Contains Big Flaws
- Microsoft Research “All these flaws allow the attacker to sign in as the victim to her accounts on the websites using SSO services even without knowing the victim’s password,”
But what if the data itself was of no use once the hackers got hold of it? Do you think they would bother spending long ours gaining access to it if they found it worthless?
What I am getting at is the act of encrypting the DATA itself, the raw data packets, only then are we starting to address the nub of the issue – making the data secure. Encryption (to encipher) and Cryptography (hidden, secret) is a powerful resource. I like the core message in these terms because they point to the essence of what we must achieve with our data to make it truly secure to turn it into something of ‘no value or importance to anyone else’ = cipher to encipher / encrypt our data. Whilst that may sound simple I and the rest of the security community are under no pretence of the challenge this would represent to manage.
Encryption is no small undertaking, by its nature it is very unforgiving to the forgetful or unstructured amongst us which is why all but the very large Enterprises can afford data encryption systems. It is no wonder Enterprise Digital Rights Management (E-DRM) has become a familiar term transposed onto the more generic Information Rights Management (IRM). At a private level it is almost non-existent, for even if you understand the principles of Public Key Infrastructure (PKI) and can wield the tools of Pretty Good Privacy (PGP) to manage you data in an encrypted way you will find yourself limited in terms of who you can interact with as this is far from user-friendly or mainstream.
Do not be misled, poor adoption of PKI, PGP and their ilk are not an early adopter issue, it is a fundamental structure issue. These mechanism are complex to get to work optimally, and in a sub-optimum deployment they are compromised so its worth is questionable and in a corporate world ‘it works some of the time’ does not win much in budget debates. At an individual level it is simply the complexity of management and exchange of encryption keys and their associated Certificates validating key ownership that renders it unusable.
The best we have at present for securing our data files is through forms of IRM / E-DRM, but this has until recently been out of reach of not just the Small and Medium Size Business (SMB / SME’s) but even large Corporates. OK there are proprietary application level encryption and password locking features, but they lack the truly ‘in-line’ capacity as a real time solution and after all the internet is full of solutions that can break these within seconds just head over to the likes of:
Not all is lost though. Most of us have come up against the power of IRM in the form of Digital Rights Management (DRM) with online music purchase, finding that if we try to share a music file bought through one of the online stores we cannot. Why? Because the data is secured and has been locked for use to a single user account. Reflect, the data itself is secured this is the DATA protected, OK the software you use to play the media has to know how to read the data. The data compliance with a standard supported by the software that allows the software to interpret how to authorise the user to use the data, but again I point out this is the DATA that is secured, secured by encryption that refers a user (be it individual or software) to comply with a policy set by the data owner.
Welcome to the future of corporate and personal data, where software (any software) conforms to a standard whereby data is encrypted and software has to comply with that standard to use that data. Just as your Windows Media Player or iTunes software does today through their respective online stores which act as a validation and authorisation proxy for the music industry who are the ultimate rights owners of the tunes you play. In such a new world of data, you could perceivably leave you data anywhere and it would be secure. Why? Because it is encrypted, available to those authorised by the data owner. In such a utopia hackers would gain little from stealing data, and Google would not be able to scan your documents and emails so readily!
IRM as stated above has been the exclusive realm of large Enterprises with the deep pockets to invest in the necessary infrastructure and process discipline mandatory to ensure such an environment works seamlessly and critically data encryption keys are not lost! Until now….
May I introduce or re-introduce you to Microsoft Office 365, Microsoft’s Software as a Service platform for business of all sizes, affordable even for individuals. Microsoft Office 365, delivers Enterprise grade email, collaboration, conferencing and productivity software amongst other benefits. It reset’s the bar in terms of empowering organisations and even individuals and most poignantly stands alone in its security capabilities with its Information Protection and Control (IPC) in the form of Windows Azure Rights Management Service:
- Windows Azure AD Rights Management whitepaper
- Microsoft Exchange Online with AD RMS whitepaper
- Office 365 Virtual Labs for IT Pros
- Windows Azure AD Rights Management Administration Tools and Utilities
Microsoft Office 365 forges a Grand Canyon of a chasm between it and the following herd of online Saas business productivity service vendors when it comes to its compliance credentials and security capabilities, and at a price point that is challenging for any serious functionality and data conscious business executive to not consider very, very seriously. Microsoft Office 365 scales from 1 to 50,000 user environments OUT OF THE BOX! Now NO organisation has an excuse for inappropriate document or email disclosure. It allows ANY organisation to Rights Manage their documents and emails, applying Enterprise class encryption helping to ensure they are only visible to those that have been given explicit rights. This protects organisations in the following common risk scenarios:
- Laptop theft.
- Portable media loss.
- Dismissed employee data retention.
- Inadvertent CC’ing of emails or sending to the wrong recipient
- Email interception.
- Internet vendor document/data scanning.
- ….. amongst others
Not 100% full proof by any means but 100% better than about 95% of the ‘Data’ security being implemented by organisations today. Be assured that just because you believe you have not been compromised does not mean you have not. In fact I would challenge an organisation, IF you have any Intellectual Property worthy of being stolen KNOW that you are either compromised and you don’t know it or adversaries are going after it, if you don’t believe me I fear your falling foul of the old ‘Struthio camelus’ syndrome of head in the sand!
The elephant in the room then becomes how to validate the identity of those access in the data, how do you prove that you are who you are and not an impersonator or a middle man ‘borrowing’ someone access code(s). Single factor Username + Password authentication mechanism are too weak for true identity security, multi-factor authentication (something you know and something you have) is a step in the right direction but many multi-factor authentication approaches remain vulnerable, and thus the goalposts move …. that’s a subject for another day.
So whether you believed me at the start of this article or not here it is, for little more than the cost each year most organisations spend on toilet paper and tea bags (Ok and coffee) per employee they can enjoy Enterprise grade document and email security amongst a bucket load of other powerful features with Microsoft Office 365, no excuses.
Toilet Paper & Tea Bags Analysis
Thanks to Discovery Channel and MySupermarket.com:
- Average usage per employee/yr = 30,000 sheets/year or 134 rolls/year (@ 150 sheets per roll).
- Average price of 50p/roll
Total £67/year per individual on toilet rolls + Tea breaks at £300 per employee per year – Epiphany research 2012 quoted on ‘The Workplace Savings and benefits’ website.