Tuesday, 28 March 2017

How Do We Balance Security with Personal Privacy?

As the whole world knows by now, March 22nd 2017 was a deadly day in London. A man identified as Khalid Masood drove a rental car onto the pavement as he crossed Westminster Bridge, purposely hitting pedestrians as he made his way directly to the Houses of Parliament, where he exited the vehicle and stabbed a police officer to death before being shot by other officers.

In the hours following the deadly incident, police investigators learned that Masood had used the WhatsApp messaging service minutes before beginning his rampage. Police do not know what was communicated due to end-to-end encryption that prevents them from seeing the actual contents of the communications. The incident itself - along with the encrypted posts – has, once again, led the UK government to raise the question of balancing security with privacy.

End-To-End Encryption Explained

Many popular mobile apps, including WhatsApp and iMessage, use end-to-end encryption by default. With this kind of encryption, a message is encrypted at its source, sent over the network, and then decrypted by the recipient device at the other end. The server that carries the data is unable to decrypt data because it does not have the shared key.

The result of end-to-end encryption is that companies like Facebook and Apple can provide only limited amounts of data to police investigators. In the Masood case, the only way for investigators to know what he communicated is to break into his password-protected phone.

Security vs Privacy Conundrum

Government officials have made clear in the wake of this latest attack that they expect technology companies not to provide a means of online communication that cannot be accessed by authorities. Yet their calls for less secure systems fly in the face of demands that those same companies take every possible step to protect personal privacy. In essence, it would seem the government wants it both ways.

Some suggest that companies such as Facebook (owners of WhatsApp) and Apple are deploying end-to-end encryption in order to take themselves out of the equation when incidents like this occur. Whether that is true or not, they also say that making their hardware and software less secure gives their customers legitimate concerns about their own privacy.

If technology makers created an encryption system that could be accessed by authorities in the event of a crime or terrorist act, they have also created a system that can be accessed by hackers. Less secure means less secure across the board. You cannot make technology easier for authorities to access yet still more difficult for criminals and terrorists. It doesn't work that way.

The stark reality is that there is no way to balance security and personal privacy. They are weighted differently, depending on your perspective and your reasons for wanting them. In the end, one will always prevail over the other to some degree. So do we strive for greater security at the expense of personal privacy, or do we make sure privacy is still the primary concern?

Tuesday, 21 March 2017

Data Breaches Do Not Require Computers or Networks

We undeniably should be doing everything we can to prevent data breaches. But to expect that we'll ever reach a day when any and all data breaches are eliminated is unrealistic. The fact is that humans are imperfect creatures capable of making all kinds of mistakes. As a case in point, consider a recent £60,000 fine levied by the Information Commissioner's Office (ICO) against a local council that allowed a used cabinet to be sent to a second-hand shop with client files still inside.

On 20th March (2017) the ICO released a bulletin explaining that it had fined Norfolk County Council after a customer purchased a cabinet from a local second-hand shop only to discover case files still inside. Those case files contained sensitive information relating to seven children, according to the bulletin.

ICO Head of Enforcement Steve Eckersley wrote in the statement:

"Councils have a duty to look after any personal information they hold, all the more so when highly sensitive information is concerned – in particular about adults and children in vulnerable circumstances. For no good reason, Norfolk County Council appears to have overlooked the need to ensure it had robust measures in place to protect this information."

The ICO did not release a lot of details about the case, but these should be easy to deduce based on typical human behaviour. It is likely that council officials decided to dispose of the cabinet and assigned a low-level employee to clean it out in preparation for transfer. The employee failed to remove all the files from the cabinet before it left the council's facility.

Once at the second-hand shop, its employees also failed to thoroughly inspect the unit before putting it on the sale floor. It was purchased, taken home, and only then opened to reveal the case files.

Multiple Failures Along the Line

The point of our blog post is not to assign blame or to ridicule the County Council mentioned in any way. Rather, it is to show that there were multiple failures along the line that led to the new owner of the cabinet ultimately finding sensitive data. It is not unlike network data breaches that are the result of multiple failures.

In the Norfolk County Council case, the employee who cleaned out the cabinet failed to do so thoroughly. That was followed by an inadequate inspection by a member of management and those responsible for transporting the cabinet to the second-hand shop. Shop staff also failed in that they did not thoroughly inspect the cabinet prior to offering it for sale.

In the arena of network security, there are many more layers and a lot more hands buried deep in the security pie. Therefore, the potential for failure is increased. We are doing a very good job of protecting personal data stored on networks and we must continue doing our best to improve the security, however we are never going to eliminate it fully. Unfortunately, failure is part of being human.

Wednesday, 15 March 2017

Record Fine Illustrates the Vulnerability of Information

Have you ever entered personal information into an online account without reading the fine print? Of course you have; we all do it from time to time. What you may not know is that located in all that fine print may be a sentence that says something like, 'you agree that we can share your information with third parties whose offers we think might interest you.'

Such statements act as digital confirmation that you are giving permission for your personal information to be sold to others. The sale of personal information is a serious problem, as demonstrated by a record fine just announced by the Information Commissioner's Office (ICO) against a company accused of making tens of millions of nuisance calls.

According to an ICO press release dated 9 March 2017, a Hampshire company trading as Media Tactics was found to have made 22 million nuisance calls using phone numbers purchased from other online entities that had collected the information. The company made nuisance calls covering a broad range of topics from debt management to personal injury claims.

"These 22 million pre-recorded calls will have left many people feeling frustrated," said the ICO's Steve Eckersley. "But some people found them alarming and distressing – we heard from one complainant who found the calls depressing and another who was too frightened to answer any calls at all."

According to the law, companies like Media Tactics can only place calls to people who have given their consent. Assuming their claims of purchasing phone numbers from other entities who obtained such consent is true, we have a much larger problem here than just one company making nuisance phone calls. We have the greater issue of online entities selling personal information without discriminating.

When That Fine Line Is Crossed

The idea of selling personal information is nothing new, nor is it confined to the digital arena. Companies have been selling names, addresses and phone numbers since long before the internet age. But it seems in recent years we have crossed that fine line for which there appears to be no turning back.

Internet users have a right to expect privacy when they enter their personal information for the purposes of making a purchase, opening an online account or other such activities. Just because a company inserts a consent disclosure in the fine print does not absolve them from being guilty of crossing the line. Such entities may not be guilty of any criminal offence, but there is the ethical side of things to be concerned about.

The average consumer is left having to make a choice of not entering personal information into online accounts or doing so and hoping for the best. Remember, this is not a matter of security. Online entities voluntarily chose to sell information to Media Tactics, information that was collected legally and with alleged consent.

For the record, the ICO's fine against Media Tactics was £270,000. Hopefully, it will serve as a deterrent to other companies engaging in the same kinds of ethically-challenged tactics.

Tuesday, 7 March 2017

UK Government Embarks on New Digital Strategy

The UK has been a world leader in digital technology and the digital economy for a while now. More importantly, our position as a world leader is not something we have come by through mere accident or coincidence. It has been a concerted effort by government leaders and the private sector to build the infrastructure and business environment necessary to be a world leader. And now the government intends to go even further with a brand-new Digital Strategy for the UK.

A press release issued by the Culture Secretary on 1st March lays out plans by which the government hopes to ensure that Britain is the best place in the world to ‘start and grow a digital business’. Officially dubbed the 'Digital Strategy', the government plan calls for:

·        developing the skills, infrastructure and innovation necessary to support the digital economy in Britain;
·        developing new Digital Skills Partnerships for the purposes of creating digital training opportunities; and
·        supporting the digital sector through long-term investments intended to promote productivity and innovation.

The Culture Secretary estimates that the programme will create in the region of 4 million free digital skills training opportunities through partnerships between government, charities, volunteer organisations and the private sector. Training opportunities should ensure that there are enough skilled workers to support the growing number of digital businesses estimated to crop up over the next 5 to 10 years.

The Culture Secretary recognised three specific companies:

·        Lloyds Banking Group – Plans to train 2.5 million individuals, SMEs and charities.
·        Google – Plans to offer five hours of free digital skills training to individuals.
·        Barclays – Plans to train 45,000 young people in basic coding and as many as 1 million adults in general digital skills.

The Culture Secretary's press release indicates that the Digital Strategy is part of the larger Industrial Strategy the government is hoping will make Britain the most competitive nation in the world. If the strategy succeeds, Britain will be the place to both locate digital businesses and innovate technologies that will drive the future.

The Coming Digital Economy

Those of us already active in the digital world are not at all surprised by the government's action. As much as we rely on digital technology in the current day and age, the future looks even more digitally inclusive. Computers are getting more powerful, networks are expanding, and global communications are as robust as they have ever been. The coming digital economy of 2020 and beyond will make what we do today look pale by comparison.

The government and private sector businesses supporting the Digital Strategy are right to assume that our strategy to remain a world leader cannot be sustained without proper training and investment. They are making an effort to provide what we need to continue being the world leader. Indeed, the Digital Strategy could end up being one of the best things we have ever done to help ourselves on the world stage.

Friday, 3 March 2017

Converting IT Closets into Edge Computing Sites

The year was 1968.  My father was holding what looked like a black suitcase with two white stripes. He handed it to me and said “Here’s a gift for you. Your first record player!”. For years, I played records on that turntable (“Hey Jude” by the Beatles was the first “single” I ever owned). Eventually, that portable record player found its way to the closet as new formats for music were released to the marketplace.

Today, the data centre industry finds itself undergoing changes just as radical as what has occurred within the music industry. Just as CDs replaced vinyl records, and music downloads have, even more quickly, replaced CDs, older wiring closets and makeshift server rooms are being radically transformed.

For consumers of music, a need for convenience and mobile access to songs drove these changes (why bring a pile of scratched records to the party if pushing one button on your mobile phone grants you access to your preferred playlist, without the snap, crackle, pop and skips)? For IT staffs. the spaces dedicated to two-post racks and cables need to be optimized and repurposed to serve the performance needs of bandwidth-hungry end users.

The drive for IT closet space optimization involves both the need for local computing sites to aggregate and store local data in order to provide “edge” users with faster and easier ways to access information, and the need for IT staffs to beef up remote management services. The new, affordable remote services run on cloud-based platforms and offer benefits such as data analytics, reduced downtime, reduced operations overhead, and improved energy efficiency for power and cooling systems.

As we enter a new phase in the way IT staffs support local users, confusion exists regarding the differences between old school IT closets and modern Edge Computing sites. Just like vinyl records and downloads both produce music, the way the final product (in this case data and information) gets produced, delivered and consumed requires rethinking.

Below are highlights of some of the critical differences between traditional IT closets and modern Edge Computing sites:
·        Uptime expectations – According to industry estimates, some 2.9 million IT closets (small server rooms and wiring closets) exist in the United States alone and over 70% report outages directly attributed to human error. Many of these IT closet facilities are unattended IT rooms that are minimally supervised. In most cases, operators and administrators have trouble preventing the human error from occurring in these environments. For example, cleaning staff can walk in and unwittingly disconnect a cable. In edge environments, remote monitoring and automation software can be integrated with video surveillance and sensors to reduce the occurrence of human error-related downtime. Racks and enclosures are preconfigured to include integrated power and cooling, cable management, monitoring and management software, cybersecurity, physical security (like remotely controlled rack locks), intelligent rack outlets and sensor technology.
·        Power infrastructure – Most wiring closets have little, if any uninterruptible power available. In fact, the legacy wiring closet, which used to house passive devices like patch panels and hubs will now need to evolve to accommodate high power switches, higher density servers, routers and Uninterruptible Power Supplies (UPS) with longer runtimes.
·        Cooling configurations – The cooling of IT wiring closets is rarely planned and typically only implemented after failures or overheating occurs. Because the power density of IT equipment has increased over time, distributed IT equipment such as routers, switches or servers overheat more often and fail prematurely due to inadequate cooling. In new edge environments, solutions such as the Schneider Electric Micro Data Centre have been designed to assure cooling compatibility with anticipated loads. Oversizing is avoided so that electrical efficiency is maximized. Footprint options are flexible enough to work in spaces of various shapes and sizes, including closet-like spaces.

As vinyl records begin to fade from the memories of most consumers (except for hard core vinyl lovers), so will legacy IT closets. To learn more about how Edge Computing is revolutionizing the way IT rooms and small data centres at the edge of networks are being configured, download Schneider Electric white paper #226 “The Drivers and Benefits of Edge Computing”.

Guest blog by Dennis Bouley on behalf of Schneider Electric

Wednesday, 22 February 2017

How to Prevent Lacklustre Air Quality in Commercial Spaces

The biggest mistakes most people make when it comes to air pollution is thinking their business is immune to air quality problems.

As a business owner, you will have to do all you can to ensure your customers and employees stay safe. Air pollution is something you probably don’t think about on a regular basis. Neglecting to consider the quality of the air in your commercial building can cause serious health issues for anyone who breathes in this air. There are a variety of things that can lead to the air in a commercial space being polluted. It is your job to work with professionals in the air purification industry to figure out what can be done to keep the quality of the oxygen in your building at peak condition.

If your business works with chemicals in confined quarters, then the quality of the air in your workspace can be compromised. Even something as simple as not changing out the air filter for your commercial HVAC system can lead to pollen and other allergens making their way into your air supply.  Read below to find out about air pollution, what causes it and what you can do to reduce the amount of harmful allergens and chemicals in the air supply at your place of business.

Symptoms You May Notice When Dealing with Air Pollution:

The main thing you need to be concerned with when trying to combat air pollution is the warning signs indicating there is a problem. By learning these warning signs, you will be able to take action when a problem is discovered. Below are some of the symptoms you may notice when an air pollution problem is brewing in your commercial building.

·       Constant wheezing
·       Repeated sneezing
·       Frequents congestion issues
·       Extreme fatigue
·       Watery or dry eyes
·       Itching skin

The fact is that the human body needs quality oxygen to operate as intended. Rather than ignoring these types of warning signs, you will need to figure out what needs to happen to rid the air supply in your commercial business of pollutants.

Air Pollutants Are a Lot More Common Than You Think

Among the biggest mistakes most people make when it comes to air pollution is thinking their business is immune to air quality problems. Most people have this idea that air pollution is reserved for large cities covered in smog. The fact of the matter is many of the products used by a small business on a regular day contain a variety of pollutants. There are a number of common products and substances that can cause air pollution like:

·       Chemicals used to clean a commercial building
·       Various types of mould
·       Air fresheners
·       Perfumes and deodorants
·       Pest control chemicals
·       Asbestos and formaldehyde
·       Bacteria and viruses
As you can see, the substances that can cause air pollution are a lot more common than you think. Reducing or eliminating these products or substances from your workplace is the first step in reducing the chance of air pollution.
How to Keep the Air in Your Building Clean
Now that you know the hazards that exist in regards to air pollution, you are ready to learn about how to combat these air quality problems. The first line of defence you have when trying to fight air pollution are the various air filters you have in place. As the professionals at Camfil say, “Air filters are physically simple but technically complex devices.” Here is some information about a few of the different types of air filters and the benefits they can offer.
HEPA Filters - Among the most common and effective type of air filter out there is the High-Efficiency Particulate Air (HEPA) filter. These types of filters are designed remove more than 99% of the pollen, mould and bacteria that make their way into a building’s air supply. There are also ULPA (Ultra Low Penetration Air) filters on the market designed to remove 99.9995% of the pollutants that make their way into the air supply in a building.
HVAC Filters - These are filters that have particle removal efficiencies consistent with guidelines as published by the American Society of Heating, Refrigeration and Air-Conditioning Engineers (ASHRAE). They can be very effective at removing common dusts, moulds, bacteria, allergens and other contaminants that present health hazards to building occupants.
Carbon Filters - If your company deals with a lot of harmful gases and aerosol pollutants, then a carbon filter is what you need. Generally, these types of filters are added in with the HVAC filters to enhance the effectiveness they have. Trying to use these types of filters to remove particle type pollutants will be ineffective, which is why using them in conjunction with other types of filters is wise.
Guest blog by Lynne Laake, Camfil USA Air Filters

For further advice on the benefits of the new standard and on filter selection according to the new standard, please visit www.camfil.co.uk or contact Mark Taylor in the UK on +44 (0) 7721 605 378 /  mark.taylor@camfil.co.uk

Friday, 17 February 2017

Court Ruling Jeopardises Google Customer Email

Microsoft won an important court case in 2017 in which it was cleared of having to turn over user data stored on servers in Ireland. It was believed that one more similar ruling would, once and for all, answer the question of whether US government officials could access private data stored on foreign servers. Many thought a Google case in the pipeline would provide that decision. Unfortunately, just the opposite occurred.

Google was simply ordered by a federal court in Pennsylvania to comply with FBI demands to relocate customer e-mails from servers in Ireland to the company's central server in California. The judge who issued the ruling, Thomas J Reuter of the US District Court for the Eastern District of Pennsylvania, ruled that the FBI transfer order did not violate privacy laws because no private information will be disclosed in the transfer. Furthermore, Reuter stated that Google regularly transfers data between international servers without customers knowing it.

Here lies the problem: once the e-mails are transferred to US-based servers, the FBI will be within its legal authority to subpoena those e-mails on any number of grounds. Google's position is that the transfer order, though not a direct breach of privacy, is simply a precursor to what the FBI really intends to do – subpoena the data

Courts Traditionally in Favour of Privacy

Courts have typically been in favour of protecting consumer privacy against the prying eyes of government law enforcement agencies. Protecting individual privacy is one of the motivations behind so many European governments demanding that data belonging to nationals be stored on European servers. This most recent ruling jeopardises that strategy.

If US courts can successfully order American technology companies to transfer data stored elsewhere back into the United States, any pretence of privacy and security is just an illusion. Once data is back in the US, the FBI, NSA and local and state law enforcement agencies can access it with the mere formality of a subpoena.

This latest decision will undoubtedly be appealed even as dozens of other court cases are still pending. The question over data security and foreign countries is far from being decided, so affected consumers will have to wait to see how it all plays out.

The issue before us right now is whether the recent court decision should be concerning. In a word: yes. The US has been progressively asserting itself and its belief that it has the right to any and all data produced by companies who do business on American soil. Where will it end?

World leaders are expressing a tremendous amount of angst over the populism emerging in the West. This latest court decision is a perfect example of why populism is growing. The ruling is a direct result of the notion of globalism. If we want to be a single global community, we cannot expect courts to recognise international boundaries. Perhaps we should be careful about what we wish for?