So which law applies?

Now this is a really interesting legal case. Facebook has a marketing and advertising business established as a separate legal entity in Germany. In December 2012, the Schleswig DPA issued orders against Facebook Inc. in the U.S. and Facebook Ltd. in Ireland, in which the DPA demanded that Facebook allow its German users to use pseudonyms.

So which law applies? Germany, Ireland, or US? In the end Germany lost. It was decided that the Irish DPU laws applied. The ruling stated that it was not considered a sufficient presence to warrant the application of German data protection law.

Draft rules on use of personal information in China

Really interesting post on rules concerning the use of personal information in China.

If you make it to the end of the article 😉 I am very much of the same opinion as the author, in that okay to have rules but what about enforcement. Also is the actual intentions of the Chinese authorities? Are they really after protecting the human rights of the Chinese citizen, or is this another ploy to enforce registration of identity, hence make anonymous access to online resources impossible. This restricts freedom of speech… as if it is not already enough given existing controls…

Cloud SLAs – what is important?

I’ve been digging around a little to define what is different with Cloud SLAs over a normal outsourced account, and there is quite some controversy. Lydia Leong, a Gartner blogger claims that the type of cloud SLAs used by AWS (Amazon Web Services) and HP Cloud Services are quite useless in helping cloud users (tenants) from mitigating their risks, and getting compensation when services are unavailable.

One example is that the SLA on unplanned downtime (outside of events of force majeure) for AWS is calculated over a year, not a month. Which means if your cloud services are unavailable 4½ hours in a single day during a single year you cannot claim a cent. She also talks about how they are organised around a region availability, not by instance or AZ (physical data-centre) availability. This seems to make sense to us cloud ignorants, after all there is redundancy in the cloud? Or not… according to Lyndia, at least when it comes to cloud SLAs. I’m still trying to get my head around all this 😉

Lyndia did recommend the Dimension Data (OpSource) SLA as it has a simplicity that makes more sense. For example the cloud SLAs are split by Infrastructure and Application availability. ¨Whereas AWS and HP only do SLAs for Infrastructure, or at least at the posting of this article in December 2012. HP has since this posting given a statement in respond to this claim. However Lyndia sticks to her opinion, although states that “arguably the nuances make the HP SLA slightly better than the AWS SLA“.

So what’s my take on this? At the moment nothing strong. Be aware of the risks if you go to the cloud, then you could transfer your risk, take out some insurance. It really depends how much money you are losing for every hour your services are down. According to Lyndia, Amazon has started letting cyber-risk insurers inspect the AWS operations so that they can estimate risk and write policies for AWS customers. I do think that often to take a services approach to your business makes really good sense, and the cloud is a way forward whether you like it or not.

Social identity

Social identity is becoming all the buzz today. But for me this is just another form of single signon using social media, e.g. Facebook as the linking identity.

This does not address the need for respect of personal privacy. It does not empower the identity holder. It is not scalable to 6bn people worldwide. Check my previous post for more on this.

Advanced Persistent Threats (APT)

APTs are as David Lacey says in his post on Computer Weekly blog that we need to find some learning points from how we manage them. I agree that ticking controls as compliant is not the way forward, although clearly it can demonstrate “due diligence” and provide certain safeguards. My opinion is that most business owners really don’t care until they’ve been exposed to the consequences of this type of attack. I believe that the reason why is 2-fold:

1) they have invested in “security theatre” technologies for too long now, i.e. technologies that don’t improve security, but make you feel safer. Often the impulse to invest in security is triggered by scaring the audience into digging deep in their pockets, powerpoint slides, press reports, etc., it is like the boy that shouted “wolf” one time too many.

2) Secondly there is a serious lack of alignment between the technology/security technical parts of an organisation and the Line of Business (LoB). McAfee have written a really good book on this (Security Battleground) and I advise reading in order to focus your investment, and get the ear of the business owner having money to spend on security. They don’t mention technologies once. I have met once of the authors here in Sweden recently (Kevin T. Readon) and he is a sound guy, he really knows his stuff!

So what is their advice? Basically from a LoB angle focus on the 3Rs: 1) Rich, what makes your business rich?; 2) Ruin, what can ruin your business?; and 3) Regulations, what do you need to be compliant with? I would say to just demonstrate “due diligence”.

I also believe in deeply the stuff that David has been co-founder of that security should follow the information, or be close to the information, i.e. perimeter security is not the future (Jericho Forum). And I’m an avid follower of what Intel is up to with their VPro, security from the chip-level up (I know technically it is not a perfect description ;-)).

One of the major challenges I believe for now and the future is authentication/authorization with the BYOD trends, and the fact too that many of the APTs do attack humans. The most promising trends I seen to date is that from Lequa, they are placing the identity in the hands of the individual. No more PKI, or Identity Management top level down… that is not, let’s face it, scalable to 6bn persons worldwide? I don’t know if they will succeed, but if they don’t I still think that a bottom-up approach is the way forward, especially if this is integrated with what Intel is upto.

CISPA

Cyber Intelligence Sharing and Protection Act (CISA) is not aligned with civil and privacy rights of the individual according to privacy advocates such as Electronic Frontier Foundation and Avaaz.org.

Neither Microsoft or Facebook support this bill. Imagine that everything you post on FB to be available for government authorities? Fine if you trust them I suppose, but I don’t.

Why is not crowdsourcing used more in the fight against terrorism? Transparency and the power of the people, of whom most want a safe society could provide an all encompassing safetynet. Crowdsourcing for example is starting to be used to locate missing persons and children, it is very powerful. There are so many people out there that can make a positive difference to this broken world we live in.