CA Community






This Blog
Syndication

April 2011 - Posts

I Probably Know Your Location Data-Get Over it!

Published: April 28 2011, 01:55 PM | no comments
by Merritt Maxim

Ten years ago, someone wrote "Although every operator says that location services will require active participation by the user, location services will be a key security issue to watch in the years ahead."

With the recent news about Apple's popular iPhone smart phone storing location data, has that time come? 

As is often the case with security incidents, the severity of the situation was often overblown. But the media spotlight was sufficiently bright that it forced Apple to respond with a technical explanation and a promised software fix. Apple's statement plus the newest security problem du jour (courtesy of the Sony Playstation Network breach) probably means that the location issue will likely fade away.

The irony of course is that location data can be useful not just for marketers because the location data can be used for public safety purposes to locate an individual in the event of a 911 emergency.

Nonetheless, the data location incident got me thinking-what other ways are available to find out an individual's location?  Here are a few. 

  • Credit Card Point-of-Sale (POS) transaction data. While credit card numbers are a frequent target for hackers, credit card transaction data could pinpoint where any given card has been used.
  • Automobile Toll Transponders. These auto toll transponders have become very popular in recent years. However, these accounts are usually available online and include the details down to the second when a given transponder passes through a given point on the highway. In fact, transponder data has been featured as evidence in a Law & Order episode.
  • Loyalty Cards Today, almost every retailer offers some type of bar-coded customer loyalty card. These cards track your purchases and points, but also where and when these cards are used, meaning they offer some location based data.
  • IP Address This location data is used to help personalize web sites for users, but there are ample free tools on the web that can do reverse IP address lookups and include the Latitude and Longitude of a given IP address.
  • RFID Tags The emergence of RFID in consumer applications is a new source of location info. Many ski resorts are now using RFID enabled lift tickets and then store that RFID data to track individual skier activity. If I know a given user is a skier (maybe from mining his/her credit card POS data), I might be able to pinpoint their location on the mountain. This has already raised some privacy questions as this article points out.
  • Social Media Let's not forget the emergence of location based social media tools like FourSquare. Of course, if a user is concerned about their location, they should not be using the service in the first place, but this is yet another accessible point for location data.

These examples cannot necessarily be utilized to detect an individual's location in real-time, but with enough of this data, someone could predict an individual's location at a given time of day such as weekdays between 8am-8:30am on the MassPike between Exit 14 and 15, followed by visit to local coffee shop.  Collectively, this data may just reveal the mundane nature of people's everyday lives, but if a criminal organization was interested in tracking an individual (for a potential kidnapping or extortion plot), this data could be very valuable.

This is not meant to a doomsday piece, but merely to point out that location data is with us to stay and that this latest iPhone issue is not the first time this issue arises and will not be the last.

What other examples of location data can you think of?  Use comment section to post your answers.

Share this post:  
Tags: , , , ,
Leave a comment

 

By: Merritt Maxim
Merritt Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and CA Technologies. In his current role at CA Technologies, Merritt handles product marketing for CA's identity management and cloud...
Read More..

Cloud Providers .vs. Cloud Consumers - Survey Results Point to Impending Security Standoff

Published: April 28 2011, 10:55 AM | no comments
by Matthew Gardiner

CA Technologies and the Ponemon Institute recently released the results of the second part of our two-part cloud security survey. This survey focuses on the security perspectives of cloud providers as compared with the first survey which focused on the security views of cloud consumers. Taken together the two surveys provide a stark contrast of the state of cloud security. 

To put it plainly cloud providers and cloud consumers do not currently agree when it comes to security.   One of Ponemon's more provocative conclusions is that, "...the focus on cost and speed [by cloud providers] and not on security or data protection creates a security hole." It does seem that a disconnect exists between what the IT people are saying at cloud consumers - that effective security systems and practices are standing in the way of faster cloud adoption - and what the cloud providers are focused on - improving the cost and speed of deployment of their services, but not on security.  Given that the latest survey consists of responses from more than 125 cloud provider organizations, covering all the modes of the public cloud; SaaS, PaaS, & IaaS, it does cause one to sit up and take notice.

How do I make sense of this apparent disconnect between cloud providers and cloud consumers, given the current fast growth of public cloud services?  I believe for the most part cloud consumers have not moved sensitive applications to public clouds, but have focused on moving primarily non-sensitive services to the cloud that benefit from the inherent capabilities of the cloud. But since so many organizations are exploring the cloud at the same time, albeit with less sensitive applications, the adoption is currently accelerating quickly. In the first survey cloud consumers in effect said, "I would move my more sensitive applications and data to public clouds if I could be more confident in the security." 

Cloud providers, however, are reacting to the market as it exists today and are in a sense saying, "since you are only moving your more commoditized applications and data to the cloud, and security is less of a pressing issue, we are going to focus on cost and speed, and not security systems and processes." Thus we have a "security standoff." If the security situation doesn't change, a cloud adoption wall is ahead of us.  At some point the easy to move applications will have moved, and organizations will be left with primarily the more sensitive ones to shift.

For the public cloud to reach its potential, sensitive applications and data must be able to migrate there.  But for organizations to be willing and able to do this the risk must be commensurate with the reward. It is thus imperative that both cloud providers and cloud consumers (and their security providers) look beyond the current cloud usage demand and collectively take on the challenges of moving more sensitive applications and data to it.

Share this post:  
Tags: ,
Leave a comment

 

By: Matthew Gardiner
Matthew Gardiner is a Director working in the Security business unit at CA Technologies. He is a recognized industry leader in the security & Identity and Access Management (IAM) markets worldwide. He is published, blogs, and is interviewed regularly in leading industry media on a wide range of IAM...
Read More..

NSTIC Launch – Three Aspects to Watch

Published: April 18 2011, 12:17 PM | 1 Comment(s)
by Matthew Gardiner

Last Friday the White House officially launched the NSTIC, now that it has been signed by the president and published for all to read.  Overall I am optimistic about the impact that the NSTIC can have on identity on the Internet, but there are three particular areas of progress that I am going to be watching to assess how positive the impact ultimately will be.

  • International engagement & collaboration - It is no secret that the Internet in its best form knows no boundaries.  That makes it imperative that the identity ecosystem envisioned by the NSTIC also know no boundaries.  This does not mean that every country needs to have the same approach to verifying online identities, just that the approaches should evolve to be interoperable with one another.  Also many other countries (Canada, New Zealand, Holland and others) are already well down the path towards applying the federated approach to the Internet identity challenge.  It is important that the U.S. learn from them.
  • Business models/economics - If the envisioned identity ecosystem is to takeoff, it's important that the benefits outweigh the burdens for each of the participants.  Appropriately a lot of focus is on the user, but the relying parties and identity providers must have significant focus as well.  For example the identity or attribute providers can't be expected to provide their services without attractive levels of compensation to justify their ongoing investments.  This is particularly true as the required level of identity assurance goes up.
  • Deploy real projects soon - It is also very important that the NSTIC not evolve into purely a discussion or debate initiative.  Setting up and using even a small identity ecosystem will be very important to keep the momentum of the approach going.
Share this post:  
Tags: , , , ,
Leave a comment

 

By: Matthew Gardiner
Matthew Gardiner is a Director working in the Security business unit at CA Technologies. He is a recognized industry leader in the security & Identity and Access Management (IAM) markets worldwide. He is published, blogs, and is interviewed regularly in leading industry media on a wide range of IAM...
Read More..

Security Breaches – Communication with Customers

Published: April 06 2011, 02:51 PM | no comments
by Sumner Blount

Epsilon is a major email marketing firm that bills itself as the "the world's largest permission-based email marketing provider," primarily because it sends over 40 billion (yes, with a "B") email messages a year.  Last week, it disclosed that it suffered a security breach in which a subset of this huge customer email database was compromised.  More details can be found here

I hadn't heard about this breach until I received an email today from Best Buy, who obviously has my email address from a previous purchase that I have made there.  After reading it, I believe that Best Buy did essentially all we could expect a company to do in a difficult situation like this.  This email contained the following information and flow (somewhat simplified):

  • 1. There has been a breach, and here's what we know about it

  • 2. Here's what you should, or should not, do about it

  • 3. Summary of our security policies, and what information we keep about you

  • 4. Where to go for more information

The mailing also had two important characteristics that are essential for a breach communication like this:  it was timely and it was informative.  After reading it, I (as a typical customer) was left with the impression that Best Buy was doing everything they could to safeguard my personal information, which is really all you can ask of a vendor that suffers a breach like this.

It gets much dicier when the communication comes directly from the company who was actually holding the data that was breached.  Certainly both companies should respond proactively to the breach,  but my guess is that most consumers don't hold Best Buy as responsible as the company that was actually breached.  Compare the Best Buy situation with that of RSA, in which their own SecurID information (of some kind....we don't know yet) was breached.  This raises a difficult question of how much information to provide to customers when their information is disclosed in some way.  A "full disclosure" approach might potentially be used by the breach perpetrators or others to further attack the security of these devices.  But, a limited disclosure approach has great risks in terms of customer loyalty, as well as hindering customers in responding appropriately to the breach.  Bruce Schneier does a nice job of exploring the impact partial disclosure has on the trust that is essential to a company like RSA.  

So far, from the email that I have received as a consumer and a potential victim of this Epsilon breach, it appears that these companies have taken a proactive and responsible approach to this event.

Share this post:  
Tags: , ,
Leave a comment

 

By: Sumner Blount
Sumner Blount has spent his 25-year career focused on the development and marketing of software products for a range of top-tier enterprise IT firms. Currently, he’s a Director in the Security business unit at CA. Previously he managed the large computer operating system development group at Digital...
Read More..

Privileged Administrators and the Cloud: Who will Watch the Watchmen?

Published: April 05 2011, 03:37 PM | no comments
by Matthew Gardiner

Privileged administrators are central to the operation of any datacenter, whether on your premise or in the cloud.  While the vast majority of IT administrators are honest and careful, many of the most high profile security breaches that have occurred have been caused by willful actions by a problematic minority.  The emergence of the cloud makes the issue of controls for privileged administrators more complex, because now the privileged administrators are both yours and those of the cloud provider.  See my blog on Infosecurity.com where I take on this issue.

Share this post:  
Tags: , ,
Leave a comment

 

By: Matthew Gardiner
Matthew Gardiner is a Director working in the Security business unit at CA Technologies. He is a recognized industry leader in the security & Identity and Access Management (IAM) markets worldwide. He is published, blogs, and is interviewed regularly in leading industry media on a wide range of IAM...
Read More..

More Posts