I wanted to share this with you all, courtesy of David Cartright at CloudPro, as further justification that “Cloud”, the current buzzword and trend, is not for everyone, and if not managed correctly will not deliver the economies of scale originally intended.
The 10 biggest mistakes made when moving (or considering a move!) to the cloud.
There are some compelling reasons to move to the cloud but it’s easy to make mistakes too. Here’s ten of the most common…
Cloud computing can, of course, be a hugely satisfying thing to do. It can be cost-effective and straightforward whilst at the same time de-risking your organisation through the sheer reliability and high-end support of the remote infrastructure. This doesn’t mean that it’s a trivial thing to do, however, and it’s easy to make simple mistakes. Let’s look at the top ten.
1. Making the wrong decision to use the cloud
The first mistake that one can make is to choose the cloud when it doesn’t really suit the application or your organisation (or both).
Of course as we all know, cloud services can bring vast benefits to an organisation’s computing capability, but as with any technology there are times when it just doesn’t fit no matter how hard you try to persuade yourself it’s a good idea. Particularly if you’re a small company with no need for super-resilience, no knowledge of managing vendors and/or very simple requirements, you can spend more time and money administering a cloud infrastructure than you would if you had a handful of inexpensive servers in house.
2. Choosing the wrong machine for the job
In the cloud it’s just as easy to choose the wrong tool for the job as it is in an in-house application. Just because you use, say, Windows Server 2008 R2 for your in-house finance system, this doesn’t mean you should just map it onto a Windows installation in the cloud. Perhaps you chose a Windows platform internally because that’s the skillset you have; in the cloud someone else will manage the OS for you so why not consider, say, Linux? And of course if you take it a step further you can even decide to go for a fully managed application: given the choice of, say, a fully managed Oracle app on a fully managed Linux box, why wouldn’t you go for that if it’s faster than a Windows installation?
3. Bodging your user access
When you run applications in the cloud, user access can be easy or hard. And if it’s hard, the chances are because you made it that way. What’s one of the key difficulties with in-house systems? Maintaining a collection of disparate user databases is one of the world’s greatest pains in the backside, and with a cloud setup there’s nothing different. Yes, it can take a little bit of effort to integrate the cloud service with your own directory service; and yes, it might take you a few minutes to persuade the higher-ups in the company that to do so isn’t a hideous security risk from Hell. But properly integrated user access is an absolute god-send – not least because it’s the only way you can be sure that when staff leave the organisation and you want to be sure their access has been properly curtailed.
4. Disregarding geography
As we all know, putting an application in the cloud doesn’t mean that it’ll end up on arbitrary servers in random locations. The thing is, though, we don’t necessarily all know this – many newcomers to the concept think that you have to place your application at the mercy of the supplier’s load balancing and auto-failover engines. Consider your geography carefully, and consider the legalities of where your data sits and the logic of how close the app and the data are to the users.
5. Losing control of costs
It can’t be denied that the economics of cloud computing are compelling. When you look at the cost of a powerful server in the cloud and compare it with the price of buying the physical hardware, the argument for outsourcing is compelling.
It’s very easy, however, to lose track of the virtual machines, storage, IP addresses, load balancing and applications that you’ve set up (a fact which isn’t helped by the less-than-great user interfaces on some services). This can become very expensive, because although you don’t pay very much for each component, it soon adds up when you have several of each and you’re not careful to keep track and decommission unused entities.
6. Thinking the service manages itself
In a cloud service the servers, storage, networking and such like are all managed for you – unlike an in-house application that you need to employ people to look after. It’s easy to forget, however, that managed services can go wrong – so you’ll still want to monitor the service even though it’s not necessarily your problem to fix it. Fair enough, if you’re using a managed application service then the management task is minimal, but even then you’ll want to look at things like log file growth, database transaction file growth and such like because otherwise the cost of your back-end storage will quickly begin to approach infinity.
7. Running up too many virtual machines
When you have to buy physical equipment, you tend to be a bit sparing when it comes to doing so. The moment you start virtualising, however, that concept goes out of the window – even in an in-house virtual farm let alone a cloud one.
But why is that? Fair enough, the kit isn’t costing you anything, but you’re paying for an extra OS and even though the virtualisation layer lets you oversubscribe your RAM, disk and CPU you still have the overhead of context-switching between the various VMs. Oh, and more servers equals more stuff to manage. Back in the old days of physical kit one would run multiple applications on a single server – and there’s no reason you shouldn’t do so in a cloud world.
8. Thinking you don’t need backups
Cloud services tend to be multiply resilient – dual identical systems that can invisibly fail over in many cases, plus a third machine with similar configuration that’s used for seamless software upgrades. This doesn’t mean that you don’t want to back up your data and configuration from time to time, though.
While it’s likely that the service will never die and your world will be infinitely reliable, can you really put your hand on your heart and say it’s 100 percent certain? And don’t forget, although the big providers are unlikely to go pear-shaped in a hurry, you absolutely need to mitigate the risk of a smaller provider going to the wall and taking your crown jewels with it.
9. Missing the skills change requirement
The skills required for managing a cloud installation are radically different from handling an in-house setup. One of the big culture shocks of moving to the cloud is that the hands-on technical requirement will reduce and the vendor management aspect will ramp up noticeably.
You’ll also have something of a learning curve with regard to understanding the various technical offerings from the provider (RAM, CPU and disk are easy but when you get into virtual IP addresses and load balancing that ceases to be true) and the user interface will be a new discovery for you. It’s an easy mistake to think it’ll be easy, when actually it certainly isn’t.
10. Not cleaning up after yourself
Just as we told you to think about how many virtual machines you run, you also need to revisit this resource consideration frequently. Idle virtual machines and unused IP addresses cost money for no tangible benefit, so why pour money into a black hole by leaving them doing nothing? Just as you should employ the right combination of virtual hardware in the first place, so you should also ensure that you give up resources – even temporarily – if they’re likely to be unused for more than a modest period.
I am not a Cloud sceptic – far from it. However I am somewhat more pragmatic than the current crop of “Cloud Evangelists” who are completely indiscriminate when promoting their solutions. Think very carefully before making a costly and possibly irreversible mistake. As I’ve said before it’s not for everyone.
I read this article on SecurityWeek’s website, courtesy of its author Oliver-Christopher Rochford a writer and Security Consultant from Germany. I found it so compellingly close to my real world experiences I wanted to share it accordingly. Clearly there is a place for security people despite their apparent “lack” of business sense. I mean what do we really know?
Security professionals are often seen as being difficult to deal with. They can be perceived as throwing a spanner in many a good idea, and their incessant demands and the restrictions they try to impose can seem like an artificial bottleneck on getting something to market or into production rapidly. Often, we are accused of not being “business-minded”, or something to that effect. Let us take a little time to gloat and at the same time throw that ill-conceived misconception on to the bonfire of myths and old wives tales.
Some estimates had put the total cost of the infamous Sony attack to be upwards of $24 billion. More difficult to quantify is the accompanying brand damage. Sony announced a 2011 annual loss of $4 Billion, which admittedly cannot be entirely blamed on that security catastrophe, but without a doubt did play its part in contributing towards the total loss. This breach came at a time when Sony has already been struggling to compete against newer market participants in other areas, and needed its entertainment arm to perform strongly to offset this more than ever.
Recently, Global Payments, Inc. was removed from Visa’s PCI compliant service providers and saw a 9% drop in its stock price after it suffered a data breach in March 2012. This happened to a company that earns its bread and butter primarily with card processing, and still did not do what was necessary to protect its core business.
VASCO Data Security managed to lose the $13 million it paid to acquire DigiNotar, after it went bankrupt in 2011 and had to wind down to the tune of a further $5 Million after a cyber attack forced it out of business.
Nortel Networks was the victim of decade long industrial espionage targeted at its actual Intellectual Property rights and development data. Nortel now does not exist. In its day, it was one of the largest suppliers of telecommunications and network equipment in the world.
I am a layperson when it comes to business, but to me it seems like bad security is really, really bad business.
Looking at the average cost of a data breach, who is more business minded? The security professionals that may have prevented these high-cost, brand and capital destroying disasters; Or the business professionals that made the bad business decisions that ultimately prepared the stage for these breaches?
If that is being business minded, I will take the accusation of not being business-minded as a well-intended compliment. I may be naïve, being only a security guy, but I have always worked under the impression that practicing good business means that you create something that is scalable, that is sustainable, that avoids making unnecessary huge losses and if possible, tries not to gamble with the good data and thus the brand love and loyalty of its customers. That sounds like bad business in a nutshell to me.
The problem, as most problems of this nature usually are, is based on history, tradition and of course ignorance. Business thinking has not yet evolved to be aware and take into account the new challenges and demands on strategy and operations that these wide-sweeping changes in how we communicate and use technology have ushered in, even while the consequences of the failures to adapt are visible in plain sight for all to see.
Business schools barely touch on Information Security or Information Risks. That is a fatal shortcoming in this new world of ours, where so much business is now conducted digitally and virtually that the economy would grind to a standstill if the net was unavailable even for a short while. The world has evolved and progressed. Commercial interests have been quick to jump on the possibilities this has opened, stamping out and saturating entire new markets out of thin air that a decade before were just the ravings or fanciful notions of some hardcore geek. Yet businesses are still struggling with the other consequences of this evolution and have yet to acknowledge that we are not in Kansas anymore.
There is much talk of the modern CISO having to be more business savvy, and how the role should be focused on being business-enabling. I say that is 20th century thinking at its worst, and it stems from a complete lack of understanding of where we are and especially of where we are actually going.
I don’t buy into the argument that the aim or intended task of security is to enable business. It is meant to ensure that your data, your IP, your communications, your assets, are adequately protected, that stockholder value is sufficiently guarded, and that the business can thrive for many years to come.
Nor is it really just up to the CIO or other security staff to make a company secure. Security has to be in the fabric of an organization, or it will never be holistic, and thus effective. Any other approach will lead to a business with security; but not to a secure business. The successful business leader of the future will have to be more security aware, and will have to be more mindful, considerate and respectful of information security and its implications than ever before.
This is not a matter of a lack of training or insufficient time either. Security awareness is not a skill. It is a mindset. A mindset born out of an understanding of the risks and problems involved and the resulting “informed paranoia” that develops when you do so. And that mindset is now a business requirement in and of itself, if you want to run a business in this day and age, and even more so in the future.
We are on the precipice of a new age that will fundamentally change the way the world functions, communicates and organizes itself. We are currently only seeing the shadow of it, but it already provides a glimpse of the outline of what is to come, and boy, it is a major cataclysmic paradigm-breaking game changer. Businesses will have to evolve quickly to adapt to this new era, because failure to do so will spell the end for any organization that does not, be that with a big bang or with a whimper.
In that light, the outlook for many companies based on recent events and current attitudes is not particularly good. Security is considered an extra cost without measurable benefit, an afterthought or something to implement to be compliant.
A good analogy is the Dodo. That the Dodo is extinct is well known, but less discussed is how it came to be that way. Its habitat was the Island of Mauritius, where for many millennia it lived a carefree life without fear of predators or much competition aside from other Dodos. Life was simple, life was good, leaving the Dodo to live carefree and concentrate on finding food. Then times changed drastically, and in disaster for the poor, carefree, oversized bird. Man found Mauritius, and with Man came dogs, pigs, rats, and a variety of other threats and competition that the Dodo was not suited to come to terms with.
There are stories that it was possible to walk up to the Dodo holding a club, and it would watch you beat it to death, not knowing any danger or sense of risk. Much like most victims of an SQL Injection attack really. Roughly a century after the first recorded accounts of the Dodo, it ceased to be; extinction left only some bones and few plaster casts to wonder about. And that despite the fact, that their meat was described as rather badly tasting.
We are in a similar situation. Barely 20 years ago, there were no mobile phones in day-to-day use, offices still did almost everything on paper, and networks were usually intended to carry faxes and print jobs. Now we are not isolated anymore, and left in peace to live our carefree little lives with no outside pressures.
No stockholder, customer or voter wants someone in charge who is unable to understand and assess risk and security, as a hapless and incredibly misguided UK Minister recently had to be reminded of, so it will not take long before the same will come to apply to executives, and business overall by extension.
And when you have enough people, especially ones in the know acknowledge that current business practices in regards to security are unsustainable, you know that someone is already staring at that kind looking, smiling man walking towards him with a club in the hand, wondering whether he may be bringing something to eat.
Cybercrime, cyberterrorism, cyberespionage and cyberwarfare. These are now a permanent feature in the threat landscape, making them actual business issues, with all that that implies.
With security ecosystem predators like Anonymous, Chinese hackers, and Iranian Cyberarmies, foreign intelligence agencies, corporate spies and other less obvious hunters such as the media (as in the case of the UK Newspaper hacking scandals) circling the old, weak and lame in the herd, natural selection will kick in with a vengeance. As in nature, when a new eco niche is introduced, the food chain soon begins to establish itself and finds equilibrium, with those players not able to adapt quick enough, providing easy prey for the others.
Management and business leaders will have to take note quickly, and learn to recognize information security risks as real risks to their success, or they will go the way of the Dodo.
Because it is human nature to want to help. This is an extract from a recent publication that I found illuminating, and essential for anyone concerned about such threats. Education, education, education.
So, what is Social Engineering?
Social engineering is the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password. The goal is always to gain the trust of one or more of your employees.
Famous hacker Kevin Mitnick helped popularize the term “social engineering” in the ‘90s, but the simple idea itself (tricking someone into doing something or divulging sensitive information) has been around for ages.
What Social Engineers Want:
The goal for many social engineers is to obtain personal information that can either directly lead them to financial or identity theft or prepare them for a more targeted attack. They also look for ways to install malware that gives them better access to personal data, computer systems or accounts, themselves. In other cases, social engineers are looking for information that leads to competitive advantage.
Items that scammers find valuable include the following:
- Passwords
- Account numbers
- Keys
- Any personal information
- Access cards and identity badges
- Phone lists
- Details of your computer system
- The name of someone with access privileges
- Information about servers, networks, non-public URLs, intranet
How Social Engineers Work:
There are an infinite number of social engineering exploits. A scammer may trick you into leaving a door open for him, visiting a fake Web page or downloading a document with malicious code, or he might insert a USB in your computer that gives him access to your corporate network.
Typical ploys include the following:
Stealing passwords: In this common manoeuver, the hacker uses information from a social networking profile to guess a victim’s password reminder question. This technique was used to hack Twitter and break into Sarah Palin’s e-mail.
Friending: In this scenario, a hacker gains the trust of an individual or group and then gets them to click on links or attachments that contain malware that introduces a threat, such as the ability to exploit a weakness in a corporate system.
For example, says Netragard CTO Adriel Desautels, he might strike up an online conversation about fishing and then send a photo of a boat he’s thinking of buying.
Impersonation/social network squatting: In this case, the hacker tweets you, friends you or otherwise contacts you online using the name of someone you know. Then he asks you to do him a favor, like sending him a spreadsheet or giving him data from “the office”. “Anything you see on a computer system can be spoofed or manipulated or augmented by a hacker,” says Desautels.
Posing as an insider: In many cases, the scammer poses as an IT help desk worker or contractor to extract information such as a passwords from an unknowing employee.
“Roughly 90% of the people we’ve successfully exploited during [vulnerability assessments for clients] trusted us because they thought we worked for the same company as them,” Desautels says. In one case, a Netragard worker posed as a contractor, befriended a group of the client’s workers and set up a successful phishing scheme through which he gleaned employee credentials, eventually gaining entry to the entire corporate infrastructure.
State of the State:
Social engineering attacks are widespread, frequent and cost organizations thousands of dollars annually, according to research from security firm Check Point Software Technologies. Its survey of 850 IT and security professionals located in the U.S., Canada, U.K., Germany, Australia and New Zealand found almost half (48%) had been victims of social engineering and had experienced 25 or more attacks in the past two years. Social engineering attacks cost victims an average of $25,000 – $100,000 per security incident, the report states.
“Socially-engineered attacks traditionally target people with an implied knowledge or access to sensitive information,” according to a statement from Check Point on the survey. “Hackers today leverage a variety of techniques and social networking applications to gather personal and professional information about an individual in order to find the weakest link in the organization.”
Among those surveyed, 86% recognize social engineering as a growing concern, with the majority of respondents (51%) citing financial gain as the primary motivation of attacks, followed by competitive advantage and revenge. The most common attack vectors for social engineering attacks were phishing emails, which accounted for 47% of incidents, followed by social networking sites at 39%. New employees are the most susceptible to social engineering, according to the report, followed by contractors (44%), executive assistants (38%), human resources (33%), business leaders (32%) and IT personnel (23%). However, almost one-third of organizations said they do not have a social engineering prevention and awareness program in place. Among those polled, 34% do not have any employee training or security policies in place to prevent social engineering techniques, although 19% h have plans to implement one, according to Check Point.
For the full guide to social engineering click here: Social Engineering-Ultimate Guide
FSA Data Protection Compliance – Best Practices Review
I was recently commissioned, on behalf of a compliance adviser practice, to carry out an information security review of a 30 user financial services organisation located in the Midlands. Obviously fully aware of the likely penalties the FSA can administer, as well as the threat of the Information Commissioners Office imposing a fine of up to £500,000 for Data Protection breaches, the firm’s directors had taken a hugely responsible approach to this very serious matter.
Despite already implementing a variety of security controls under the guidance of their IT service provider, it was considered important enough to perform a review to re-assure clients and stakeholders that they do take information security seriously – a philosophy that is often overlooked in favour of so called “higher priorities”.
What did it involve?
To minimise costs and the time it takes to carry out a full security audit, I gave them an initial questionnaire to fill out. It was developed primarily around the FSA’s best practices guidelines, as detailed in their scathing report titled “Data Security in Financial Services – Firms’ controls to prevent data loss by their employees and third-party suppliers”.
After looking at the results, I carried out an interview with the practice manager (although it can be a partner / director responsible for IT and security), and the contracted IT service provider. Sometimes it’s considered inappropriate to include the IT service provider due to a lack of technical expertise, although it certainly wasn’t in this case.
I was then able provide them with a report outlining the good and bad practices within the organisation and highlighting areas of concern that need addressing according to their priority. From start to finish, the whole thing took two days.
This was a high level system security review intended to establish the risk appetite of the business in general, and not a thorough interrogation of the systems internally or externally through penetration testing. But, what it does do, is help the senior management focus their attentions and help mitigate the threats the financial sector faces. It is, after all, the most targeted industry sector for the cyber criminal.
Feel free to contact me directly if you believe your organisation could benefit from a similar review.
Stolen NASA laptop had Space Station control codes… and no encryption for supervillains to crack!
I suspect this may be just about the highest profile incident of laptop security negligence we have experienced to date. For the full article please follow this link:
http://www.theregister.co.uk/2012/03/01/nasa_stolen_laptop_unencrypted/
In another article on the BBC website reporting on NASA security breaches it was claimed that:
The agency suffered “5,408 computer security incidents” between 2010 and 2011.
Between April 2009 and April 2011, NASA reported the loss or theft of 48 Agency mobile computing devices.
This particular lost unencrypted notebook computer contained details of the algorithms – the mathematical models – used to control the International Space Station.
http://www.bbc.co.uk/news/technology-17231695
NASA told the BBC that “at no point in time have operations of the International Space Station been in jeopardy due to a data breach”. A bold claim indeed!
Considering the availability and low cost of encryption solutions to avert this type of risk it is almost unbelievable that such a “target-rich environment for cyber attacks” as NASA should be so reckless in their security procedures.
This should serve as a timely reminder for any custodian of critical data, particularly those with legal and regulatory compliance mandates to fulfil. Unfortunately it seems security is considered a “nice to have” in many industry sectors with other commitments taking priority. Of course this sort of thing won’t happen to you, will it? Maybe a fine of £500,000 from the Information Commissioners’ Office will help to focus the mind.
BT severs all ties with Cloud…. in parts of Hertfordshire anyway.
The small business (or maybe that should read “small minded”) cloud evangelists that I come across with alarming frequency cannot fail to admit that the heavy reliance on a monopolistic dinosaur of a broadband infrastructure does not really lend itself to cloud computing for everyone (please see a recent blog article below regarding cloud suitability).
Only last week many businesses in Hertfordshire were left without voice and data services for a prolonged period following another attack on BT’s physical network. This time it was due to the attempted theft of communications cabling in Hatfield, South Hertfordshire.
BT and the local police force have offered a reward of £5000 for information that will lead to the prosecution of the offenders. However this should better serve as a timely reminder that moving critical systems and data to the cloud is not without its perils and requires careful consideration.
And as I have said before, it is not for everyone. Despite my reservations I can clearly see significant financial and operational advantages of cloud computing for the right business, if you can guarantee ubiquitous connectivity. However there are few small businesses who can justify, let alone afford, resilient internet connectivity to guarantee availability. And if they do surely it negates any potential cost saving delivered by the cloud? And without availability you cannot have security.
Some say it was local residents demanding faster broadband, in the hope that BT would accelerate their roll out of fibre cabling. I say wake up and smell the coffee, Cloud Cuckoo Land. As a provider of cloud services myself, and particularly Security as a Cloud (SaaS) services, I recognise the flexible and financial benefits, however I also remain a pragmatist, rather than an ideologist.
See the BBC brief article here:
http://www.bbc.co.uk/news/uk-england-beds-bucks-herts-17010501
Keeping your laptops secure
Notebook PCs are ideal for small businesses. They make it easier to work flexibly. You can move from the office to a client location and back home again accompanied by all your programs and data. However, their very portability makes them easy to steal or lose.
Take data protection seriously and start protecting your laptops!!!
There are several ways to keep laptops and the data stored on them safe. Sensible precautions include:
Locking them up.
Use metal cables and locks to secure each laptop to a bulky object – like a desk – when in use. When laptops aren’t in use, hide them away in locked cupboards or drawers.
Being careful away from the office.
Laptops are often lost to opportunist thieves. Keep hold of laptops in public places and do not leave them on display in cars. Choose laptop bags that don’t look like computer cases so that their contents are not so obvious to thieves.
Recording and registering.
Mark all laptops using a permanent tag or etching. You should record all serial numbers and register each laptop with the manufacturer too. This way, if one goes missing, you’re more likely to get it back.
Securing your data.
Encryption scrambles the files stored on the hard drives of laptops so they can only be viewed with the proper authorisation. The Securapro® hosted full disk encryption service is the answer. It makes the hard drive useless to thieves – even if they try to use it in another laptop.
Keeping files somewhere safe.
Instead of saving sensitive files on laptops, store them on a central server. Your laptops can connect to the server securely, even when they’re being used away from the office. With this central, secure file store, you can reduce the risk of losing information.
Using strong identification methods.
Usernames and passwords can often be guessed. To increase security, you and your staff can log on in other ways. Some laptops have fingerprint scanners built in. Alternatively, use a combination of smart cards (something you have) and passwords (something you know) to provide double security. Many laptops are available with built-in smart card readers.
And don’t forget for all your security advice and solutions visit www.octree.co.uk or www.securapro.co.uk, call our offices on 08456 171819, or send an email to sales@octree.co.uk.
Personal data ‘lost by 132 councils’
http://www.bbc.co.uk/news/uk-15840373?utm_medium=twitter&utm_source=twitterfeed
I read with absolute fascination this article highlighted by an astute colleague of mine. Please read on.
“Private data has been lost by or stolen from UK local councils more than 1,000 times since 2008, a report says. The data included details relating to children and vulnerable people in care, campaign group Big Brother Watch said.
Some 132 authorities said they had had a total of 1,035 cases of data loss or theft between 2008 and 2011. The Information Commissioner said it was vital councils kept data secure. The Local Government Association for England and Wales declined to comment.
Big Brother Watch director Nick Pickles said the research – based on answers to freedom of information requests – showed a “shockingly lax attitude” to protection of confidential information by some councils. Some 263 councils reported no losses, while a further 38 did not respond. The report revealed that information about at least 3,100 children and young people was compromised in 118 cases.
Lost ‘in street’
At least 244 laptops and portable computers, 98 memory sticks and 93 mobile devices went missing. Only 55 incidents were reported to the Information Commissioner’s Office (ICO) and only nine people lost their jobs as a result, according to the councils which responded. Buckinghamshire and Kent reported the most data loss incidents with 72 cases each, followed by Essex with 62 and Northamptonshire with 48. Cases included scanned case notes belonging to Kent council being found on Facebook and an unencrypted memory stick containing childcare data lost on a Durham street.
In Birmingham, one lost USB stick included the names, addresses, contact details, tenancy type and ethnic origin of 64,000 tenants. In that case, the member of staff was suspended and later resigned. Mr Pickles said: “This research highlights a shockingly lax attitude to protecting confidential information across nearly a third of councils. “The fact that only a tiny fraction of staff have been dismissed brings into question how seriously managers take protecting the privacy of their service users and local residents.
“Despite having access to increasing amounts of data and being responsible for even more services, local authorities are simply not able to say our personal information is safe with them.”
New powers
The ICO has called for new powers to carry out compulsory audits in the local government sector. An ICO spokesman said: “It’s vital that local authorities properly live up to their legal responsibility to keep personal data secure, particularly where it is sensitive information about children and young people.
“Our concern isn’t just that councils have the right policies and procedures in place; it’s about bringing about a culture among staff whereby everyone takes their responsibilities seriously and effective data handling becomes second nature. “We’re calling for powers to conduct compulsory audits in the local government sector and will this week submit a formal business case to the Ministry of Justice asking the government to give us such powers.”
Local government minister Grant Shapps welcomed the report saying it “reinforces the need for steps to protect the privacy of law-abiding local residents”.
In October, MPs on the justice select committee called for tougher personal data abuse laws, suggesting courts should have the power to jail people who breach the Data Protection Act.”
Unfortunately, based on my experiences alone, this really is just the tip of the iceberg, and has only come to light due to public sector disclosure mandates, not yet applicable for private sector. Watch this space………..
I wonder how many private sector organisations maintain such a blasé approach to data protection, despite the freely available technology and operational countermeasures easily afforded. Maybe imprisonment is the wake-up call required to generate a shift in attitude, since the threat of a £500,000 fine seems to carry little weight.
European businesses face mandatory-disclosure law
Public and private sector businesses will soon be hit by mandatory-disclosure legislation. This means that any breach of personally identifiable information will have to be reported, and any person likely to be affected will have to be contacted. And, the necessary processes and procedures have to be transparent for audit.
In mid-November, the European Commission will publish the new version of its Data Protection Directive, the legislation on which the Data Protection Act is based, and among the new measures will be instructions on data processing. This has been some time coming with an estimated 82% of CIOs in favour of mandatory breach disclosure. Whether this is to raise the bar on threat analysis and mitigation response, or an attempt to “out” those that blatantly flout data protection laws is anyone’s guess. However it may just encourage businesses, small and large, regulated and unregulated, to finally attempt to get their house in order. I, for one, am behind this all the way. Do I have an ulterior motive? Watch this space.
Read the full article here.
http://www.scmagazineuk.com/exclusive-european-businesses-face-mandatory-disclosure-law/article/212988/?DCMP=EMC-SCUK_Newswire
Do you really need “cloud computing”?
I wanted to share this article regarding our incessant drive towards “cloud computing” identifying a number of considerations before taking the massive leap of faith. And I felt compelled to add a further caveat following the nationwide broadband outage reported on the BBC website as a result of a power failure at a Birmingham Exchange.
“The world is abuzz over cloud computing–using virtual servers available on demand over the Internet. But the truth is not every small business needs to operate “in the cloud.” Before you make the move, or someone convinces you to make the move, consider these five criteria, care of Philip McKinney, vice president and chief technology officer of Hewlett-Packard’s Personal Systems Group.
How Fast Is Your Business Growing?
Investments in hardware and software typically follow a stair-step pattern. Incremental outlays often lead to too much capacity; that’s why utilization rates for IT systems tend to be low–30% to 40%. Cloud computing can more smoothly match technology expenditures with a company’s natural trajectory. Fast-growers tend to be good candidates for the cloud, as are those with choppy or seasonal demand. Stable, predictable outfits that feel more comfortable with keeping systems in-house might be better off staying put.
Where Are The Troops?
Cloud services, by definition, are available 24-7. That gives employees, partners and customers access to information from anywhere and in real time–a huge advantage for companies with operations in different locations and in multiple time zones. The more spread out a business is, the more the cloud can help. If your company is generally centralized and runs within normal business hours, and if your employees don’t need 24-7 access, the cloud may not be for you.
How Reliable Must Your System Be?
A system boasting 99.999% availability means that it will be offline just 6.05 seconds per week, while one offering mere 99% availability will be down 1.68 hours per week. Those three extra 9s don’t come cheap–perhaps eight to ten times more than cut-rate 99% service–so be honest about how much uptime your system must deliver to meet your customers’ needs. (If you’re not in the health care, telecommunication or public safety industries, 99.95% should do.) Also keep in mind that overall reliability depends not just on the cloud vendor but also on the network provider. No network, no cloud service. Beware: Neither cloud vendors nor broadband providers will race to take ownership of your system’s reliability. Read the cloud vendor’s Service Level Agreement closely, and be ready to negotiate.
Is the Service Secure Enough?
Some cloud vendors share their servers with other customers–that may not be a good fit for companies in regulated industries, such as health care and banking, as data are never 100% secure in a shared environment. Another concern is the physical location of the cloud vendor’s servers relative to your customers. Some government regulations prohibit “moving” customer data (names, addresses, billing information) across national borders because of privacy concerns. Define the regulatory requirements of your business, and make sure the cloud vendor satisfies them.
Good Track Record?
There now are hundreds of cloud vendors to choose from. Many are launching new services, like mobile marketing and social networking, to separate themselves from the pack. That’s good news. But lots of new players and incessant innovation also invite instability, and cloud vendors go out of business for all sorts of reasons. Vet them by scanning sites like cloudfail.net, which tracks data on outages and reliability for popular cloud services. If you can find a few current customers, chat them up. And if anyone is really dissatisfied, chances are they’re barking about it on Twitter.”
For many small businesses resilient broadband communications are way beyond their budgets, if they even have any, so is it prudent to place your crown jewels out in “the cloud” if availability is the key security factor? The bottom line is SMEs are likely to suffer considerable disruption when – not if – xDSL services fail, and I for one will make this my primary consideration before early adoption.
The BT outage article can be found here:
