Friday, 17 September 2010

Security Barriers are not Enough

Lauren Weinstein commented reasonably on the Alleged Snooping at Teens' Data by Google Engineer . Yet again we are shown that technology is no match for the evilly disposed or simply stupid. You do not have to be a conspiracy theorist to understand that there is a lot of sensitive information flying around the internet or that by collating seemingly harmless data, sensitive information can be reconstructed. Points of concentration in the network (your ISP, Google, Bing and the like) increase the threat simply through the quantity of data available for analysis. Network security, database security and the strangely titled "Site Reliability Engineer" have fairly free range to see controlled information in order to do their job but are they to be trusted? and who watches the watchers?

The trusted person does not have to be in the shadows. There are plenty of jobs where an authorised person could misuse authority. Law enforcement immediately springs to mind. Generally we trust those people in law enforcement, they are checked, double checked and swear allegiance. But what do we do when people in these positions abuse the trust. In New Zealand, they get promoted!
A senior policeman caught accessing the police computer to pass on information to a private investigator working for convicted pack rapist Brad Shipton has been promoted to head the Police College's investigation and intelligence school. In 2005, then Senior Sergeant Dave Archibald was reprimanded for accessing the computer system known as National Intelligence Application during the trial of former police officers Shipton, Bob Schollum and two Mt Maunganui residents. from Dominion Post 25/08/2010
Remember that it is the information that has to be controlled and protected, and that its presence in a computer network is not the whole of its life. On the systems side we need to ensure that:
  • information is appropriately classified
  • if the information needs to be restricted to authorised parties, there are systems
  • to ensure that the information access is appropriately controlled
  • to track the handling of that information so that misuse is detected
and, out in the real world, we need to behave as though privacy and personal security matter.

No comments: