I’ve been thinking more about the Sony Pictures story…. it has been mentioned that it could be an insider job… what this means is that all information needs to be protected, not just within the organisation, but between each individual, identity.
Every business process in an organisation should be protected cryptographically, there should be a thread of traceability leading to the originating source. Only authorised parties involved in any digital interaction should have access to information being moved around, or as a matter of fact, information at rest. All email communications should also be encrypted.. and only the creator of the content and recipients should be able to read communications, and attachments. Creators of information should have absolute traceability in every one of their digital interactions, that could be a part of a business process.
But how to do this? Like an elephant… you know how to eat an elephant? Eat a small piece at a time so you don’t get indigestion. So the answer is that one should take, and work with one business process at a time, building piecemeal a secure water-tight shield across an organisations information assets, including their people.
It’s been a chilling experience for Sony Pictures, and a little surreal for those observing. It could be one of their movies….
Bruce Schneier has some thoughts. The hacking incident has shocked many, although any of us in information security may not be particularly surprised.
After many years in information security I am continually disappointed by the lack of focus there is in securing an organisations information assets. This includes intellectual property (IP), and anything information that needs to be protected in generating IP. The focus on being ‘compliant’ and finding ways to get that tick-box without really being really serious about doing what is right, is worrying. I wrote a post in April this year that dives into this subject.
Of course if an organisation is not serious about protecting its IP, how can you expect it to protect your personal information, as employees, customers and partners? The lack of measures taken to secure employee personal information brings home the fact that when it comes to securing our personal data, and anything we generate, i.e. digital footprint, it is up to us all individually to take control. It seems that we can’t trust anyone else…
But how is this possible? Well take a look at Lequinox, they have turned the identity paradigm upside-down. See if you can get your head around this way of thinking? They are empowering the individual, each one of us is to take control over what belongs to us. You control (and legally own) your digital identity and your digital footprint, and every identity in the world controls their own identity. It is the Lequinox technology with its cryptographic black box of magic that makes this possible. If you understand this, you will see that in the future, potentially it is you that is in control…
Great read from Panopticon blog… they provide essential legal insights into issues pertaining to personal privacy. Read about what they have to say here.
Yes I know, I’m here again complaining about the Swedish law protecting personal information that has no teeth! Now it seems that there is another loophole in the law following a new ruling that enables foreign companies to extract and use PII of Swedish residents/citizens, any persons associated with a Swedish ID#. Read more in this article which is in Swedish, but I’ve done an English translation below.
In previous posts I’ve discussed the weaknesses in Swedish law pertaining to the protection of personal information. Basically there is a conflict between the PUL (Personal Data Act) and the Freedom of Expression Act; which present a loophole for companies wanted to make money from PII. Both laws have good intentions, but the latter is being abused.
TRANSLATION
Foreign companies can bypass Personal Data Act (PUL)
Foreign companies can get information on Swedes denied to domestic companies with reference to the Personal Data Act (PUL) . A judgment of the Supreme Administrative Court states that a Norwegian agency workers are entitled to get information about all Swedish nurses from the National Board despite the fact that the authorities first denied because it would violate the PUL . But as the law is written, it can not be denied information because PUL is not applicable abroad , reports P3 News . The ruling means that it is now free for foreign companies to request public documents from Swedish authorities and that Swedish companies can open subsidiaries abroad in order thereby to request information , says Dennis Töllborg , professor of jurisprudence.
@ #HPDiscover Barcelona uncovered “The Machine”. The Machine has been re-architected bottom-up, which means all this stupid business of using different types of memory in order to optimise speed, yet offer as close as is possible given the limitations of the architecture, the stability of persistent memory, will be a thing of the past. The Machine will have the advantages of fast memory, yet the stability of persistent memory. This is just one technical rework in The Machine, there is loads more. I’m not an expert on hardware, but I understood enough to appreciate the enormity of this innovation.
http://youtu.be/QPQ1AheNro8
But what does this mean? What they demoed is how quick it will be to find similar pictures in a big data archive containing millions of pictures. Imagine what this means from crime prevention viewpoint, imagine how this can be used to protect children against sexual predators? Imagine the speed at which biometrics will work, imagine, imagine the possibilities….
On the other side of the coin we can speculate the impact on our personal privacy. The ease and speed of shifting through millions of graphics, data, whatever, means that everything about each one of us will be available to governments, secret agencies, and criminal organisations. This includes everything you share online, your location data, your photos, all pictures of you captured on the millions of surveillance cameras worldwide. With The Machine everything that is public will be instantly available.
So what should you do? Well you need to take control of your identity, your PII (Personal Identifying Information) and your digital footprint. In order to make this possible, how identities are managed today needs to be re-architected bottom-up, exactly as what HP have done with The Machine. Existing identity management architectures are not scalable, and even with federation you are not in control, whatever the supporters of federation may claim.
The only way forward is that you control your identity, hence own your identity, and your digital footprint. You should have absolute traceability on your identity. You control, and encrypt everything you do, every digital interaction if you share is done under your conditions. This is only possible by strengthening your digital identity with the use of reference sources, so that it mirrors how your identity works in the physical world. However just as with The Machine, it is early days, yet the first step is possible…. which means that you have the chance to be one of the first to take control of what belongs to you, your identity and your digital footprint. Check the video below.
#HPDiscover 2014 was amazing! HP Invent is back! I am so excited by what I saw and experienced during this week in Barcelona. I even got the chance to shake hands with Meg Whitman 🙂
Why was I there though? After all I’m not working for HP anymore. Well apart from the fact I still love the company that has got it’s spirit back, excited by their new energy and wave of innovation, I am part of a start-up that is launching applications into the HP Helion cloud.
The ART of Compliance is about bringing legality into digital interactions. It should mirror how business processes work in the real world, legality should be preserved. In fact if you have legality in your digital interactions, then you have more than what is possible in the physical world; as increased transparency and absolute traceability is possible.
I’ve been thinking more about the Sony Pictures story…. it has been mentioned that it could be an insider job… what this means is that all information needs to be protected, not just within the organisation, but between each individual, identity.