Archive

Archive for the ‘Privacy’ Category

Incomplete Thought: Cloud Capacity Clearinghouses & Marketplaces – A Security/Compliance/Privacy Minefield?

March 11th, 2011 2 comments
Advertisement for the automatic (dial) telepho...

Image via Wikipedia

With my focus on cloud security, I’m always fascinated when derivative business models arise that take the issues associated with “mainstream” cloud adoption and really bring issues of security, compliance and privacy into even sharper focus.

To wit, Enomaly recently launched SpotCloud – a Cloud Capacity Clearinghouse & Marketplace in which cloud providers can sell idle compute capacity and consumers may purchase said capacity based upon “…location, cost and quality.”

Got a VM-based workload?  Want to run it cheaply for a short period of time?

…Have any security/compliance/privacy requirements?

To me, “quality” means something different that simply availability…it means service levels, security, privacy, transparency and visibility.

Whilst one can select the geographic location where your VM will run, as part of offering an “opaque inventory,” the identity of the cloud provider is not disclosed.  This begs the question of how the suppliers are vetted and assessed for security, compliance and privacy.  According to the SpotCloud FAQ, the answer is only a vague “We fully vet all market participants.”

There are two very interesting question/answer pairings on the SpotCloud FAQ that relate to security and service availability:

How do I secure my SpotCloud VM?

User access to VM should be disabled for increased security. The VM package is typically configured to automatically boot, self configure itself and phone home without the need for direct OS access. VM examples available.

Are there any SLA’s, support or guarantees?

No, to keep the costs as low as possible the service is offered without any SLA, direct support or guarantees. We may offer support in the future. Although we do have a phone and are more than happy to talk to you…

:: shudder ::

For now, I would assume that this means that if your workloads are at all mission critical, sensitive, subject to compliance requirements or traffic in any sort of sensitive data, this sort of exchange option may not be for you. I don’t have data on the use cases for the workloads being run using SpotCloud, but perhaps we’ll see Enomaly make this information more available as time goes on.

I would further assume that the criteria for provider selection might be expanded to include certification, compliance and security capabilities — all the more reason for these providers to consider something like CloudAudit which would enable them to provide supporting materials related to their assertions. (*wink*)

To be clear, from a marketplace perspective, I think this is a really nifty idea — sort of the cloud-based SETI-for-cost version of the Mechanical Turk.  It takes the notion of “utility” and really makes one think of the options.  I remember thinking the same thing when Zimory launched their marketplace in 2009.

I think ultimately this further amplifies the message that we need to build survivable systems, write secure code and continue to place an emphasis on the security of information deployed using cloud services. Duh-ja vu.

This sort of use case also begs the interesting set of questions as to what these monolithic apps are intended to provide — surely they transit in some sort of information — information that comes from somewhere?  The oft-touted massively scaleable compute “front-end” overlay of public cloud often times means that the scale-out architectures leveraged to deliver service connect back to something else…

You likely see where this is going…

At any rate, I think these marketplace offerings will, for the foreseeable future, serve a specific type of consumer trafficking in specific types of information/service — it’s yet another vertical service offering that cloud can satisfy.

What do you think?

/Hoff

Enhanced by Zemanta

Google and Privacy: an EPIC Fail…

March 18th, 2009 2 comments

“I do not think this means what you think it means…”

This isn’t a post specific to Google’s struggles with privacy, specifically, but rather the Electronic Privacy Information Center’s (EPIC) tactics in a complaint/petition filed with the FTC in which EPIC claims that the privacy and security risks associated with Google’s “Cloud Computing Services” are inadequate, injurious to consumers, and that Google has engaged in “unfair and/or deceptive trade policies.”  

EPIC is petitioning the FTC to “..enjoin Google from offering such services until safeguards are verifiable established” as well as compel them to “…contribute $5,000,000 to a public fund that will help support, research concerning privacy enhancing technologies.”

In reading the petition which you can find here, you will notice that parallels are drawn and overtly called out that liken Google’s recent issues to that of TJX and ChoicePoint.  The report is a rambling mess of hyperbolic references and footnotes which appears is meant to froth the FTC into action, especially by suggesting the overt comparison to the breaches of confidential information from the likes of the aforementioned companies.

EPIC suggests that Google’s indadequate security is both an unfair business practice and a deceptive trade practice and while these two claims make up the meat of the complaint, they represent the smallest amount of text in the report with the most amount of emotive melodrama: “…consumer’s justified privacy expectations were dashed…” “…the Google Docs Data Breach exposed consumers’ personal information…”  I can haz evidence of these claims, please?

While I’m not happy with some of Google’s practices as they relate to privacy, nor am I pleased with hiccups they’ve had with services like GMail and the most recent “privacy pollution” issue surrounding Google Docs, here’s an interesting factoid that EPIC seems to have missed:

Google Apps like those mentioned are FREE. We consumers are not engaging in “Trade” when we don’t pay for said services. Further, we as consumers must accept the risk associated with said offerings when we agree to the terms of service. Right, wrong, or indifferent, you get what you pay for and should expect NO privacy despite Google’s best efforts to provide it (or not.)

I could tolerate this pandering to the FTC if it were not for what amounts to the jumping the shark on the part of EPIC by plastering Cloud Computing as the root of all evil (with Google as the ringmaster) and the blatant publicity stunt and fundraising attempt by demanding that the FTC “compel” Google to bleed out $5,000,000 to a fund that would likely feed more of this sort of drivel.

If we want privacy advancements with Google or any Cloud Computing service provider, this isn’t the way to do it.

As my good friend David Mortman said “EPIC apparently thinks its all about publicity. They are turning into the peta of privacy.” 

I agree. What’s next?  Will we rename personally identifiable information to “information kittens?”

/Hoff

P.S. Again, I am not trying to downplay any concerns with privacy in Cloud Computing because EPIC’s report does do a reasonable job of highlighting issues.  My friend Zach Lanier (@quine) did a great job summarizing his reaction to the post here:

It’s almost as though EPIC need to remind everyone that they still exist

and haven’t become entirely decrepit and overshadowed by the EFF. The

document is well assembled, citing examples that most users *don’t*

consider when using Google services (or just about any *aaS, for that

matter). Incidentally, the complaint references a recently published

report from the World Privacy Forum on privacy risks in Cloud

Computing[1]. Both documents raise a few similar points.

 

For example, how many of us actually read, end-to-end, the TOS and

privacy policy of the Provider? How many of us validate claims like

“your data are safe from unauthorized access when you store it on our

Cumulonimbus Mega Awesome Cloud Storage Platform”?

 

I, for one, laud EPIC’s past efforts and the heart whence this complaint

emerges. However, like a few others, the request for enjoinment

basically negated my support for the complaint in its entirety.

 

[1] http://www.worldprivacyforum.org/pdf/WPF_Cloud_Privacy_Report.pdf),

— Zach Lanier | http://n0where.org/ | (617) 606-3451 FP: 7CC5 5DEE E46F 5F41 9913 1577 E320 1D64 A200 AB49

Interesting Read: The World Privacy Forum’s Cloud Privacy Report

February 25th, 2009 No comments

The World Privacy Forum released their "Cloud Privacy Report" written by Robert Gellman two days ago. It's an interesting read that describes the many facets of data privacy concerns in Cloud environments: 

This report discusses the issue of cloud computing and outlines its implications for the privacy of 
personal information as well as its implications for the confidentiality of business and 
governmental information. The report finds that for some information and for some business 
users, sharing may be illegal, may be limited in some ways, or may affect the status or 
protections of the information shared. The report discusses how even when no laws or 
obligations block the ability of a user to disclose information to a cloud provider, disclosure may 
still not be free of consequences. The report finds that information stored by a business or an 
individual with a third party may have fewer or weaker privacy or other protections than 
information in the possession of the creator of the information. The report, in its analysis and 
discussion of relevant laws, finds that both government agencies and private litigants may be 
able to obtain information from a third party more easily than from the creator of the 
information. A cloud provider’s terms of service, privacy policy, and location may significantly 
affect a user’s privacy and confidentiality interests.


I plan to spend some time reading through the report in more depth, but I enjoyed my cursory review thus far, especially some of the coverage related to issues such as FCRA, bankruptcy, Cloud provider ownership, disclosure, etc.  Many of these issues are near and dear to my heart.

You can download the report here.

/Hoff
Categories: Cloud Computing, Cloud Security, Privacy Tags:

Privacy Execs: Orange Jumpsuits In Your Future? Google’s Privacy Counsel Criminally Charged

February 3rd, 2009 No comments

Handcuffs
I find this case extremely fascinating on many levels.  From eWeek:

According to the International Association of Privacy
Professionals, the charges are thought to be the first criminal
sanction ever pursued against a privacy professional for his company's
actions.

You can see the original story from the International Association of Privacy Professionals (IAPP) here.

The implications of this are quite profound as you can imagine.  CEO's and CFO's can be held accountable for crimes committed under their watch, so it's not too far of a stretch to see how privacy officers like Fleischer will have their feet held to the fire when subject to international law that takes a different perspective on the responsibilities associated with privacy than we might. 

How many indictments have we had in the U.S. for the release of information in corporate breaches?  The U.K.?

I'm not making a judgment call on this particular case because I certainly don't have all of the details, but it sets a very interseting precedent.

Imagine if you were a Chief Privacy Officer or perhaps a Chief Information Officer subject to this sort of scrutiny outside of the due care and stewardship requirements of the job in general.  If something bad happens, generally the worst thing that might occur is you lose your job.

Imagine if you were personally liable for the posting of content from millions of users globally and could be sentenced to share a shower and a cell with an angry Italian man who can't get a decent cappuccino.  I can't imagine what that would be like.

This may be the first time a privacy professional has been charged on behalf of the company he/she is employed by, but I will bet this won't be the last time it happens, either.

Besides the impact this can have on employees of providers of service, Google suggests it calls into focus larger issues of Net Neutrality:

What's more, seeking to hold neutral platforms liable
for content posted on them is a direct attack on a free, open Internet. We
will continue to vigorously defend our employees in this prosecution."


An interesting argument for sure and one I can see being debated vigorously.  It's clear Google operates globally, so they must understand this sort of thing could happen.  What about Facebook (sorry, Chris) or MySpace?  What happens when Amazon is used to host data that is mishandled by someone.  What then?

Imagine what fun it's going to be when we're all cloudified and the mash-up frenzy makes the cross-pollenization of information today look orderly; who's responsible then?

What do you think?  Should privacy officers be liable for events like this?  Should CSO's/CISO's and Compliance Managers be liable when a breach occurs exposing protected information?  Think about that answer very carefully.

/Hoff

*You can find Peter Fleischer's blog here.

Generalizing About Security/Privacy as a Competitive Advantage is a Waste of Perfectly Good Electrons

September 4th, 2007 6 comments

Advantage
Curphey gets right to the point in this blog post by decrying that security and privacy do not constitute a competitive advantage to those companies who invest in it because consumers have shown time and time again that despite breaches of security, privacy and trust, they continue to do business with them.  I think.

He tends to blur the lines between corporate and consumer "advantage" without really defining either, but does manage to go so far as to hammer the point home with allegory that unites the arguments of security ROI, global warming and the futility of IT overall.  Time for coffee and some happy pills, Mark? ;)

Just for reference, let’s see how those goofy Oxfordians define "advantage":

advantage |ədˈvantij| noun a condition or circumstance that puts one in a favorable or superior position : companies with a computerized database are at an advantage | she had an advantage over her mother’s generation. • the opportunity to gain something; benefit or profit : you could learn something to your advantage | he saw some advantage in the proposal. • a favorable or desirable circumstance or feature; a benefit : the village’s proximity to the town is an advantage. • Tennis a player’s score in a game when they have won the first point after deuce (and will win the game if they win the next point). verb [ trans. ] put in a favorable or more favorable position.

Keep that in your back pocket for a minute.

OK, Mark, I’ll bite:

Many security vendors army of quota
carrying foot soldiers brandish their excel sheets that prove security
is important and why you should care. They usually go on to show
irrefutable numbers demonstrating security ROI models and TCO. I think
its all “bull shitake”!

…and those armies of security drones are fueled by things like compliance mandates put forth by legislation as a direct result of things like breaches, so it’s obviously important to someone.  Shitake or not, those "someones" are also buying.

You’ve already doomed this argument by polarizing it with the intractable death ray of ROI.  We’ve already gone ’round and ’round on the definition of "value" as it relates to ROI and security, so a good majority of folks have already signed off an aren’t reading past this point…yet I digress.

Wired has the scoop;

Privacy
is fast becoming the trendy concept in online marketing. An increasing
number of companies are flaunting the steps they’ve taken to protect
the privacy of their customers. But studies suggest consumers won’t pay
even 25 cents to protect their data.

Why should consumers pay anything to protect their data!? Security and privacy are table stakes expectations (see below) on the consumer front.  Companies invest millions in security and compliance initiatives driven by legislation brought on by representatives in local, state and federal government to help make it so.  Furthermore, given the fact that if someone utilizes my credit card to commit fraud, I’m not responsible; it’s written off!  If you change the accountability model, you can bet consumers would be a little more concerned with protecting their data.  I wager they’d pay a hell of a lot more than $0.25 for it, too.

They aren’t, because despite being inconvenienced, they don’t care.  They don’t have to.  But before you assume I’m just agreeing with your point, read on.

After the TJX debacle I remember seeing predictions that people will vote with their feet. Of course they didn’t, sales actually went up 9%. The same argument was made for Ruby Tuesdays who lost some credit cards. It just doesn’t happen. Lake Chad and disasters on a global scale continue to plague us due to climate change yet still people refuse to stop buying SUV’s.

See previous paragraph above.   When bad things happen, consumers expect that someone will put the hammer down and things will get better.  New legislation.  More safeguards.  Extended protection. They often do. 

Furthermore, with your argument, one could suggest that security/privacy have become a competitive advantage for TJX now since given their uptake and revenues, the following definition seems to apply:

Competitive advantage (CA) is a position that a firm
occupies in its competitive landscape. Michael Porter posits that a
competitive advantage, sustainable or not, exists when a company makes economic rents,
that is, their earnings exceed their costs (including cost of capital).
That means that normal competitive pressures are not able to drive down
the firm’s earnings to the point where they cover all costs and just
provide minimum sufficient additional return to keep capital invested.
Most forms of competitive advantage cannot be sustained for any length
of time because the promise of economic rents drives competitors to
duplicate the competitive advantage held by any one firm.

It looks to me that based upon your argument, TJX benefited from not only their renewed investment in security/privacy but from the breach itself!  I think the last statement resonates with your Carr’s commentary (below)  but you aren’t talking about "sustainable" competitive advantage.  Or are you?

Right, wrong or indifferent, this is how it works.  Corporate incrementalism is an acceptable go to market strategy to overall bolster one’s strategy over a competitor; it’s the entire long tail approach to marketing.  You can’t be surprised by this?

This is why we have hybrid SUV’s now…

Nicholas Carr discusses this in IT Doesn’t Matter.
To start with technologies can become competitive differentials like
the railroads or the telephone. But once everyone has it, the paying
field levels and it becomes table stakes. Its a competitive
disadvantage if you aren’t in the game (i.e. insecure) but the economic
cost of developing a service or technology that is so compelling as to
become an advantage ain’t on the radar (for the most part).

So getting back to what I thought was your original premise, and escape the low-earth orbit of the affliction of the human condition, global warming and ROI… :(

For the sake of argument, let’s assume that I agree with your lofty generalizations that security and privacy do not represent a competitive advantage.  Please turn off your firewall now.  Deactivate your anti-virus and ant-spam.  Turn off that IDS/IPS.  Remove those WebApp firewall-enabled load balancers…

Yes, IT (and security/privacy) are table stakes (as I established above) but NOT having them would be a competitive disadvantage. THAT is the point.  It’s a referential argument and a silly one at that.

…almost as silly as suggesting that you shouldn’t try to measure the effectiveness of security; it seems that people want to hang language on these topics and debate that instead of the core issue itself.

The threat models dictate how investments are made and how they are perceived to be advantageous or not.  They’re also cyclical and temporal, so over time, their value depreciates until the next wave requires more investment.  Basic economics.

Generalizing about security and privacy as not being competitive advantages is a waste of time.  I’d love to see an ad from a company that says they’re NOT investing in security and privacy and that their Corporate credo is "screw it, you don’t care, anyway…"

I’m going to get on my bike and ride down to the store to buy a cup of coffee with my credit card now…

/Hoff