Feeds

All I want for Christmas...

Security wish list

5 things you didn’t know about cloud backup

Mark Rasch takes a step back and offers his holiday and New Year's wish list of all things security - items that should exist, be made available and be easy to use for everyone over the coming year.

It is traditional this time of year for people to make lists of what they want for the holidays. You know, a Nintendo Wii, a PS3, a Treo 700p... depending on whether you have been naughty or nice (I hope you all are taking notes). But for the information security-minded, I have developed my own personal wish list of technologies and applications which, as both a lawyer and an information security professional, I would like to see both developed and implemented in the coming year. Now I know that individual aspects of these technologies actually already exist - some of them for many many years. And I know that niche products may meet some or all of the goals I want to achieve here. I welcome comments about how a particular technology may meet the needs. What I want for Christmas (or Hanukkah, Kwanzaa, Eid, or whatever) is a solution that works seamlessly and with no user input. So here is my Christmas list:

1. Easy encryption

Lets face it, communications and files are not secure. What I want is to send an e-mail just the way I always do: look up an address (or click on a link, or retrieve a stored address) and have it sent in a way that cannot be intercepted, read or interfered with by anyone other than the intended recipient. Oh, and authentication of both the sender and receiver would be nice as well, so I can block spam more easily, and so the recipient can know the mail came from me. I want this done with little or no overhead costs, and no user input. I just want to send secure e-mail.

The files on my computer also should be encrypted seamlessly and effortlessly. In other words, when (note I say when, and not if) I lose my laptop computer, I want to know that the only thing they got that was useful was the hardware itself no data, and I mean absolutely no data should be compromised. Imagine if the Veterans Administration had something like that. Yeah, I know RSA and PGP have programs that do this, and that Vista will do the same thing, but I want it to be idiot-proof, or at least idiot resistant. I want the stuff scrambled without my input. So much for data breach notifications.

On the other hand, as an administrator, manager or compliance officer, I want to be able to monitor everything going on inside the company. I want free range (with appropriate auditing) to look at any files within the company I need to see. Nobody said this was going to be easy or even possible. Remember, as Ralph Waldo Emerson said, a foolish consistency is the hobgoblin of little minds.

2. Know what you know...search for the rest

I can conduct a Google search of a few billion web pages in about 3.2 seconds, including the use of boolean searches, key word searches, and other kinds of searches to find relevant information. But, as a lawyer and litigator, if I get a document request in discovery for all documents relating to the Jones contract, it takes months to sort through all the files in the company and index them to find the right documents. In fact, most companies see the process of inventorying, collating and examining documents as a necessary evil in preparation for or in response to litigation or threats of litigation.

What this means as a practical matter is that the company is spending money and resources to help out the person suing them to learn what happened in a particular transaction or series of transactions. This is silly. What a company should be able to do is to conduct a search of all documents oh, and I mean all documents (documents, spreadsheets, e-mails, instant messages, chat sessions) within the company (on every desktop, laptop, and server anywhere in the world) no matter how it is maintained (or stored on i Pod, thumb drive, and so on) It should be able to find these documents long before and irrespective of any litigation.

The law presumes that a collective entity known as a company, a partnership, or a government agency knows everything that any part of that entity knows. So if Employee X in Chicago knows one thing, and Employee Y in Santiago Chile knows something else, then the Company knows both things. We all know that this presumption is absurd. The problem is, as a decision maker, you should have the ability to at least find the information that is collected within the IT systems of the company as easily as you could find a decent pair of tennis shoes. Moreover, you shouldn't wait for a lawsuit to do this. It is important to know what you know as you are making decisions, not afterwards.

Of course, this would require not only indexing and searching every bit of digital information within the enterprise, but also deciding in advance who would have the authority to search for these files, and for what purposes. Oh, and remember where I said above that everything in the company would be encrypted? Again, consistency is not essential here, we are talking Santa Claus today. This is a wish list. If Santa can fit down the chimney of my gas powered fireplace, surely he can do this.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.