Tuesday, 28 March 2017

How Do We Balance Security with Personal Privacy?

As the whole world knows by now, March 22nd 2017 was a deadly day in London. A man identified as Khalid Masood drove a rental car onto the pavement as he crossed Westminster Bridge, purposely hitting pedestrians as he made his way directly to the Houses of Parliament, where he exited the vehicle and stabbed a police officer to death before being shot by other officers.

In the hours following the deadly incident, police investigators learned that Masood had used the WhatsApp messaging service minutes before beginning his rampage. Police do not know what was communicated due to end-to-end encryption that prevents them from seeing the actual contents of the communications. The incident itself - along with the encrypted posts – has, once again, led the UK government to raise the question of balancing security with privacy.

End-To-End Encryption Explained

Many popular mobile apps, including WhatsApp and iMessage, use end-to-end encryption by default. With this kind of encryption, a message is encrypted at its source, sent over the network, and then decrypted by the recipient device at the other end. The server that carries the data is unable to decrypt data because it does not have the shared key.

The result of end-to-end encryption is that companies like Facebook and Apple can provide only limited amounts of data to police investigators. In the Masood case, the only way for investigators to know what he communicated is to break into his password-protected phone.

Security vs Privacy Conundrum

Government officials have made clear in the wake of this latest attack that they expect technology companies not to provide a means of online communication that cannot be accessed by authorities. Yet their calls for less secure systems fly in the face of demands that those same companies take every possible step to protect personal privacy. In essence, it would seem the government wants it both ways.

Some suggest that companies such as Facebook (owners of WhatsApp) and Apple are deploying end-to-end encryption in order to take themselves out of the equation when incidents like this occur. Whether that is true or not, they also say that making their hardware and software less secure gives their customers legitimate concerns about their own privacy.

If technology makers created an encryption system that could be accessed by authorities in the event of a crime or terrorist act, they have also created a system that can be accessed by hackers. Less secure means less secure across the board. You cannot make technology easier for authorities to access yet still more difficult for criminals and terrorists. It doesn't work that way.

The stark reality is that there is no way to balance security and personal privacy. They are weighted differently, depending on your perspective and your reasons for wanting them. In the end, one will always prevail over the other to some degree. So do we strive for greater security at the expense of personal privacy, or do we make sure privacy is still the primary concern?

Tuesday, 21 March 2017

Data Breaches Do Not Require Computers or Networks

We undeniably should be doing everything we can to prevent data breaches. But to expect that we'll ever reach a day when any and all data breaches are eliminated is unrealistic. The fact is that humans are imperfect creatures capable of making all kinds of mistakes. As a case in point, consider a recent £60,000 fine levied by the Information Commissioner's Office (ICO) against a local council that allowed a used cabinet to be sent to a second-hand shop with client files still inside.

On 20th March (2017) the ICO released a bulletin explaining that it had fined Norfolk County Council after a customer purchased a cabinet from a local second-hand shop only to discover case files still inside. Those case files contained sensitive information relating to seven children, according to the bulletin.

ICO Head of Enforcement Steve Eckersley wrote in the statement:

"Councils have a duty to look after any personal information they hold, all the more so when highly sensitive information is concerned – in particular about adults and children in vulnerable circumstances. For no good reason, Norfolk County Council appears to have overlooked the need to ensure it had robust measures in place to protect this information."

The ICO did not release a lot of details about the case, but these should be easy to deduce based on typical human behaviour. It is likely that council officials decided to dispose of the cabinet and assigned a low-level employee to clean it out in preparation for transfer. The employee failed to remove all the files from the cabinet before it left the council's facility.

Once at the second-hand shop, its employees also failed to thoroughly inspect the unit before putting it on the sale floor. It was purchased, taken home, and only then opened to reveal the case files.

Multiple Failures Along the Line

The point of our blog post is not to assign blame or to ridicule the County Council mentioned in any way. Rather, it is to show that there were multiple failures along the line that led to the new owner of the cabinet ultimately finding sensitive data. It is not unlike network data breaches that are the result of multiple failures.

In the Norfolk County Council case, the employee who cleaned out the cabinet failed to do so thoroughly. That was followed by an inadequate inspection by a member of management and those responsible for transporting the cabinet to the second-hand shop. Shop staff also failed in that they did not thoroughly inspect the cabinet prior to offering it for sale.

In the arena of network security, there are many more layers and a lot more hands buried deep in the security pie. Therefore, the potential for failure is increased. We are doing a very good job of protecting personal data stored on networks and we must continue doing our best to improve the security, however we are never going to eliminate it fully. Unfortunately, failure is part of being human.

Wednesday, 15 March 2017

Record Fine Illustrates the Vulnerability of Information

Have you ever entered personal information into an online account without reading the fine print? Of course you have; we all do it from time to time. What you may not know is that located in all that fine print may be a sentence that says something like, 'you agree that we can share your information with third parties whose offers we think might interest you.'

Such statements act as digital confirmation that you are giving permission for your personal information to be sold to others. The sale of personal information is a serious problem, as demonstrated by a record fine just announced by the Information Commissioner's Office (ICO) against a company accused of making tens of millions of nuisance calls.

According to an ICO press release dated 9 March 2017, a Hampshire company trading as Media Tactics was found to have made 22 million nuisance calls using phone numbers purchased from other online entities that had collected the information. The company made nuisance calls covering a broad range of topics from debt management to personal injury claims.

"These 22 million pre-recorded calls will have left many people feeling frustrated," said the ICO's Steve Eckersley. "But some people found them alarming and distressing – we heard from one complainant who found the calls depressing and another who was too frightened to answer any calls at all."

According to the law, companies like Media Tactics can only place calls to people who have given their consent. Assuming their claims of purchasing phone numbers from other entities who obtained such consent is true, we have a much larger problem here than just one company making nuisance phone calls. We have the greater issue of online entities selling personal information without discriminating.

When That Fine Line Is Crossed

The idea of selling personal information is nothing new, nor is it confined to the digital arena. Companies have been selling names, addresses and phone numbers since long before the internet age. But it seems in recent years we have crossed that fine line for which there appears to be no turning back.

Internet users have a right to expect privacy when they enter their personal information for the purposes of making a purchase, opening an online account or other such activities. Just because a company inserts a consent disclosure in the fine print does not absolve them from being guilty of crossing the line. Such entities may not be guilty of any criminal offence, but there is the ethical side of things to be concerned about.

The average consumer is left having to make a choice of not entering personal information into online accounts or doing so and hoping for the best. Remember, this is not a matter of security. Online entities voluntarily chose to sell information to Media Tactics, information that was collected legally and with alleged consent.

For the record, the ICO's fine against Media Tactics was £270,000. Hopefully, it will serve as a deterrent to other companies engaging in the same kinds of ethically-challenged tactics.

Tuesday, 7 March 2017

UK Government Embarks on New Digital Strategy

The UK has been a world leader in digital technology and the digital economy for a while now. More importantly, our position as a world leader is not something we have come by through mere accident or coincidence. It has been a concerted effort by government leaders and the private sector to build the infrastructure and business environment necessary to be a world leader. And now the government intends to go even further with a brand-new Digital Strategy for the UK.

A press release issued by the Culture Secretary on 1st March lays out plans by which the government hopes to ensure that Britain is the best place in the world to ‘start and grow a digital business’. Officially dubbed the 'Digital Strategy', the government plan calls for:

·        developing the skills, infrastructure and innovation necessary to support the digital economy in Britain;
·        developing new Digital Skills Partnerships for the purposes of creating digital training opportunities; and
·        supporting the digital sector through long-term investments intended to promote productivity and innovation.

The Culture Secretary estimates that the programme will create in the region of 4 million free digital skills training opportunities through partnerships between government, charities, volunteer organisations and the private sector. Training opportunities should ensure that there are enough skilled workers to support the growing number of digital businesses estimated to crop up over the next 5 to 10 years.

The Culture Secretary recognised three specific companies:

·        Lloyds Banking Group – Plans to train 2.5 million individuals, SMEs and charities.
·        Google – Plans to offer five hours of free digital skills training to individuals.
·        Barclays – Plans to train 45,000 young people in basic coding and as many as 1 million adults in general digital skills.

The Culture Secretary's press release indicates that the Digital Strategy is part of the larger Industrial Strategy the government is hoping will make Britain the most competitive nation in the world. If the strategy succeeds, Britain will be the place to both locate digital businesses and innovate technologies that will drive the future.

The Coming Digital Economy

Those of us already active in the digital world are not at all surprised by the government's action. As much as we rely on digital technology in the current day and age, the future looks even more digitally inclusive. Computers are getting more powerful, networks are expanding, and global communications are as robust as they have ever been. The coming digital economy of 2020 and beyond will make what we do today look pale by comparison.

The government and private sector businesses supporting the Digital Strategy are right to assume that our strategy to remain a world leader cannot be sustained without proper training and investment. They are making an effort to provide what we need to continue being the world leader. Indeed, the Digital Strategy could end up being one of the best things we have ever done to help ourselves on the world stage.

Friday, 3 March 2017

Converting IT Closets into Edge Computing Sites

The year was 1968.  My father was holding what looked like a black suitcase with two white stripes. He handed it to me and said “Here’s a gift for you. Your first record player!”. For years, I played records on that turntable (“Hey Jude” by the Beatles was the first “single” I ever owned). Eventually, that portable record player found its way to the closet as new formats for music were released to the marketplace.

Today, the data centre industry finds itself undergoing changes just as radical as what has occurred within the music industry. Just as CDs replaced vinyl records, and music downloads have, even more quickly, replaced CDs, older wiring closets and makeshift server rooms are being radically transformed.

For consumers of music, a need for convenience and mobile access to songs drove these changes (why bring a pile of scratched records to the party if pushing one button on your mobile phone grants you access to your preferred playlist, without the snap, crackle, pop and skips)? For IT staffs. the spaces dedicated to two-post racks and cables need to be optimized and repurposed to serve the performance needs of bandwidth-hungry end users.

The drive for IT closet space optimization involves both the need for local computing sites to aggregate and store local data in order to provide “edge” users with faster and easier ways to access information, and the need for IT staffs to beef up remote management services. The new, affordable remote services run on cloud-based platforms and offer benefits such as data analytics, reduced downtime, reduced operations overhead, and improved energy efficiency for power and cooling systems.

As we enter a new phase in the way IT staffs support local users, confusion exists regarding the differences between old school IT closets and modern Edge Computing sites. Just like vinyl records and downloads both produce music, the way the final product (in this case data and information) gets produced, delivered and consumed requires rethinking.

Below are highlights of some of the critical differences between traditional IT closets and modern Edge Computing sites:

·        Uptime expectations – According to industry estimates, some 2.9 million IT closets (small server rooms and wiring closets) exist in the United States alone and over 70% report outages directly attributed to human error. Many of these IT closet facilities are unattended IT rooms that are minimally supervised. In most cases, operators and administrators have trouble preventing the human error from occurring in these environments. For example, cleaning staff can walk in and unwittingly disconnect a cable. In edge environments, remote monitoring and automation software can be integrated with video surveillance and sensors to reduce the occurrence of human error-related downtime. Racks and enclosures are preconfigured to include integrated power and cooling, cable management, monitoring and management software, cybersecurity, physical security (like remotely controlled rack locks), intelligent rack outlets and sensor technology.

·        Power infrastructure – Most wiring closets have little, if any uninterruptible power available. In fact, the legacy wiring closet, which used to house passive devices like patch panels and hubs will now need to evolve to accommodate high power switches, higher density servers, routers and Uninterruptible Power Supplies (UPS) with longer runtimes.

·        Cooling configurations – The cooling of IT wiring closets is rarely planned and typically only implemented after failures or overheating occurs. Because the power density of IT equipment has increased over time, distributed IT equipment such as routers, switches or servers overheat more often and fail prematurely due to inadequate cooling. In new edge environments, solutions such as the Schneider Electric Micro Data Centre have been designed to assure cooling compatibility with anticipated loads. Oversizing is avoided so that electrical efficiency is maximized. Footprint options are flexible enough to work in spaces of various shapes and sizes, including closet-like spaces.

As vinyl records begin to fade from the memories of most consumers (except for hard core vinyl lovers), so will legacy IT closets. To learn more about how Edge Computing is revolutionizing the way IT rooms and small data centres at the edge of networks are being configured, download Schneider Electric white paper #226 “The Drivers and Benefits of Edge Computing”.

Guest blog by Dennis Bouley on behalf of Schneider Electric