EU Data Protection: When Your Organization's Lifeblood becomes Poisonous

Damian Hallmark

A breaking development in the EU is creating ripples that have the potential to create a global tsunami. A European Court of Justice opinion has implications that highlight the pending impact for any global organization processing EU personal information outside of the EU.

A privacy campaigner has scored a legal victory that could bolster his attempts to prevent Facebook from being able to pass EU citizens' data to the US authorities in what the campaigner suggests could have far-reaching consequences. The opinion issued by the European Court of Justice says that current data-sharing rules between the 28-nation bloc and the US are "invalid." This decision could affect other tech firms' abilities to send Europeans' information to US data centres. 

Art Coviello at RSA: Time for All of Us to Step Up on Cyber Threats and Privacy

Jason Fredrickson

RSA chief Art Coviello had a lot to cover at his RSA Conference keynote this week. In fact, he had so much to say that he tossed out his original talk and got straight to the point: his organization’s involvement with the NSA, the urgency of the cyber threat landscape, and how we should all be doing much, much more to collaborate as a security community.

Coviello came out of the gate with the first direct issue by denying the allegations that his company took $10 million from the NSA to build a backdoor into its software and noted that their joint projects were never secret. He says that, like other commercial organizations who work with the government, RSA used the (flawed) encryption algorithm that they named in order to meet their certification requirements, then took it out when NIST said they should. He also spent a few minutes discussing the dual nature of the NSA—the difference between its two purposes of intelligence gathering (offense) and information security (defense)—and reiterated a call to separate the two into different agencies. 

A Mantra for Data Privacy Day: “Trust, but Verify”

Anthony Di Bello

The National Cyber Security Alliance has deemed today Data Privacy Day, and there probably isn’t anyone with a phone or an internet connection who hasn’t become deeply concerned about this issue in recent months. Guidance Software customers and our fellow information security professionals work in some of the most well-defended organizations on the planet, and we have learned a lot from collaborating with them on security in the age of assumed compromise—since the barbarians have breached the gate.

So although I’m certain that everyone reading this blog post knows far more about data security than the average citizen, I do have some recommendations. To begin with, the chief information security officer (CISO) at one of our customers, a global auto manufacturer, added a very important new facet to his internal data security training program.

The NSA Challenge: Protecting a Nation, its Citizens, and their Rights

Jason Fredrickson

The revelations late last year on the extent to which the National Security Agency (NSA) has encroached upon both corporate and citizens’ information have rapidly had an impact on everything from lost (and massive) technology deals with foreign customers to common information security (InfoSec) practices in the enterprise. This morning, President Obama addressed the media and the nation in a speech about the NSA program that gathers the private phone records of billions of Americans. Saying that he had not seen any indication of abuses of the program, he admitted that he recognized the potential for abuse and is requesting reforms to address these concerns.

The president announced the call for a “new approach” to phone-records collection, saying also that he is “ordering a transition that will end the…bulk metadata program as it currently exists” and establish a new mechanism that equips the NSA with the intelligence capabilities they need without the requirement to store what  might be called “big metadata.” “This will not be simple,” President Obama noted, and said that a decision will need to be made on which entity will store the data and under which conditions the database can be queried. These are meaningful promises about important first steps that should be taken.

Yeah, they got an app that steals that.

Josh Beckett

Once again on my long and arduous morning commute the radio brought me a news story that prompted me to write.  There was an NPR news story, and oddly enough I can't find a reference to it anywhere, about how many mobile phone apps borrow, steal, or leak your privacy info.  My initial thought was 'hey, big software companies that attempt to understand issues of privacy have a tough time with this. It must be a serious problem when it comes to a boutique firm or garage programmer that doesn't care about anything other than getting their app to work and to market.'

Trust but verify, people.

Josh Beckett

I thought it was a well understood security principle; trust but verify.  Maybe it is and the PHBs are simply out-voting the security crowd and the voice of reason.  At the end of the day when you don't know what is out in the cloud and have limited to no controls to act if you did know, your data is seriously at risk.

Of course, an equally well known security principle states that a valid response to risk is to accept it.  I would sincerely hope that the businesses that have my data aren't doing this.  Who am I kidding? I know they are.  As if I only do business with the 20% crowd...I can only dream of the day.

Better Incident Response Is the Real Game Changer

Josh Beckett As usual, on my very long drive to work, I was getting my daily fix of NPR and a couple of stories prompted me to write today.  First was a story that had to do with one of the interesting side effects of moneyball and how it was making baseball games longer by increasing the value of players that get walks.  More walks = longer games = less action = more fan boredom.  Their take away from this...you get what you ask for.  Not very security-esque, but stay with me.

The second story had to do with one of those agencies that's been in the news lately for monitoring lots and lots of email and phone communications.  I've heard claims that all three branches of government had oversight into the process.  It struck me that there is a major problem with that claim.  They were all sworn to secrecy and operating behind closed doors.  No transparency; just a tacit statement that we only look at the facts relevant to the bad stuff.  Ok, so how are they related?

When it comes to personal information, be your own, best custodian

Josh Beckett When it comes to maintaining the security of our information, we expect that others will do a good job with our information. However, when we, ourselves, don't really care and fling info all over the internet, why would anyone act surprised when others fail to do any better? Several days ago I read Bruce Schneier's blog where he characterized society today as a surveillance state.  I think that is a bit generous and would think that the label of police state would be slightly more appropriate.