Feeds

ContactPoint goes live despite security fears

Thinking of the children - but is that all?

Security for virtualized datacentres

Striking a difficult balance

A difficult balance between useability and security needs to be struck, Okin argued.

"A database of this nature is very sensitive, and even more so in this case as the content concerns children. The security of such a database is critical to ensure the safety of the children's personal data. It needs to be ensured that the proper security controls around such data are in place before deploying this system.

"While it is important to facilitate the quick response and handling of these cases and streamline the processes involved with ensuring their safety, this cannot be done at the expense of their security."

Peter Houppermans, an independent security consultant who designed the UK's government GSI intranet while working for Cable & Wireless, said that contrary to what the minister claims, there are "no real security implications in talking about an overall result" of a penetration test.

"If there are issues I think it is worth mentioning that 'further work is required' in the interest of transparency and the taxpayer knowing if value for money is delivered," Houppermans told El Reg.

Houppermans added that questions remain over the minster's assurance that "remote access is impossible from unsecured broadband and public locations".

"If ContactPoint is not part of the GSI or another closed network I would be concerned that the reality differs from what the minister presently understands to be the case. There is no denial that access can take place over wireless, just that this access would be 'secured'."

Houppermans is doubtful about the insistence that data from the database can't be downloaded.

"That would be a challenge unless every single system having access is subject to the same, stringently enforced rules and security policies (such as USB and CD drive lockdown). Not that it's needed - do they have email? How is that secured? And what about that favourite train deposit format, printed paper?"

Like Okin, Houppermans stressed the importance of security awareness training for ContactPoint users if there's to be any hope that the system will be secure.

Tories ready to 'pull the plug'

Of course, the developing and the worrying, may be in vain, as the Conservatives have promised to scrap the system, if elected.

The Conservatives are interested in both the financial and privacy implications of the proposed database. The Tories are calling for the publication of a government-commissioned security report from Deloitte, an executive summary of which was published by the government back in February. The Conservatives also intend to closely monitor the progress of the project ahead of the next readiness assessment, which is due out in June.

Tim Loughton, Shadow Minister for Children and Young People, commented: 'The expert verdict is clear - ContactPoint will not be safe. The Government needs to publish urgently the full security report so that everyone can know just how insecure the database is. The Government have a terrible track record of keeping our data safe - it needs to pull the plug on this unnecessary and potentially dangerous database."

Critics of the system are united in their belief that security has been designed as an afterthought. The presence of sensitive data with no effective opt-out, and questionable security controls, exercising researchers, opposition and other critics such as the Joseph Rowntree Reform Trust (paper of Database State here).

Many are concerned about how the proposed shielding mechanism will work in practice and whether the functions covered by the database will expand over time, so called mission-creep. Because the database provides a mechanism for registering all children that complements the National Identity Register its evolution and progress has become a political hot potato that New Labour government may find difficult to handle, even if the next phase of its roll-out runs smoothly.

Implementation of the system has already been repeatedly delayed by privacy concerns. Despite the ministry's superficially impressive security policy many privacy issues remain and could yet prove the undoing of ContactPoint, leaving a policy vacuum in how to co-ordinate the actions of care agencies that could prove difficult to plug. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Heavy VPN users are probably pirates, says BBC
And ISPs should nab 'em on our behalf
Former Bitcoin Foundation chair pleads guilty to money-laundering charge
Charlie Shrem plea deal could still get him five YEARS in chokey
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.