Friday, February 24, 2012

Cloud Security - Good or Not?

There is a debate going on these days about the question of whether placing systems in the cloud is good for security or not. On the one hand, the argument goes, cloud providers usually have good security in place, and that security should translate into better security for the company. On the other hand, if the company is running its own security, there could be a chance that the security will be more suitable to the company and more likely to cover off the risks it faces.

The debate referenced to this article addresses this issue. In the end, the point is made that no matter whether the security is in the cloud or not, the company must be responsible for its own security. Many of the security functions, such as maintaining id's and passwords and monitoring activity are functions that cannot be outsourced, and therefore the company must take responsibility for them. And it is these very functions that are core to the security system and that largely determine whether it is effective or not.

Wednesday, February 22, 2012

Time for OTP

The age of the old id/password approach to security is long past its effectiveness. With the advent of smart-phones becoming payment mechanisms - effectively wallets - the need for better security mechanisms is growing. So we are seeing a revival of interest in one time password (OTP) security systems.

With Mobile phones, OTP could work in conjunction with Near Field Communication (NFC) which enables the phone to communicate with devices held a few centimeters. While NFC could be the enabler for the payments, it also could be the enabler for OTP by using mobile tags, which are able to generate instant encrypted passwords which are different for each usage and are based on a single root password. The generation of the passwords would be carried out in the loud and passed back to open the mobile for use. It would be transparent and simple. Some applications are coming out for this purpose, and it seems likely that they will become widely used for mobile devices in the near future. Here's a more complete description of the technology.

Tuesday, February 14, 2012


US Lawsuit Raises Questions About Email Privacy

A lawsuit filed in the District Court in DC against the FDA is raising some interesting questions about email privacy when employer computers are being used. It's an old questions but one that isn't fully resolved as yet. In this case, the users were using FDA computers but had permission to use them for personal purposes. It alleges that the FDA installed monitoring software to capture and archive the messages, many of which were extremely personal.

The question is, given that the employees had permission to use the computers for personal purposes, did they have a right to expect normal privacy in their correspondence. Intuitively, many people would answer in the affirmative.

This right of employees is protected by the Canadian privacy law - PIPEDA. But that doesn't necessarily apply in all provinces, and not all provinces have their own privacy law.

As a minimum, one would expect that the ground rules of personal use of employer computers need to be spelled out in advance. But even then, does the employer have the right to impose monitoring on private corerspondence? The suit may address this issue as well. For a write up on the lawsuit, check this link.

Friday, February 10, 2012

FedRAMP - New Security Controls

The US Government's General Services Administration has released the details of its new policy regarding the requirements for government departments and agencies to follow in using cloud providers. The policy is not incorporated in legislation but is expected to become a part of the standard contracts for entering into arrangements with the providers.

Under the policy, there is extensive reliance in IT Controls, with 160 controls defined as part of the policy. The details of FedRAMP are contained on its website. Also, this linked article provides insight into its proposed role in government procurement of cloud services.

Monday, February 6, 2012

The Bouncer

Now that smartphones have outsold PCs and the Android system has become the most popular smartphone system outside of Apple's. It behooves us to get serious about security for Androids. Any successful operating system attracts all kinds of malware and hacker activity. Google has risen to the call with Bouncer, an app that establishes a rounded-out security service for Android phones. Bouncer carries out virus protection, searching for malware and the like and simulating android behaviour in the cloud to ferret them out. Check it out.