Security Lessons and Your Personal Firewall
There's an interesting dynamic I've been noticing and discussing a lot recently - people and companies are grappling with how to project some facets of their lives and information online while keeping other areas secret.
As i suggested in my previous post, it was entirely possible that the Mumbai attackers were monitoring communications and the media live during their rampage - there is now firm evidence they were using Blackberries.
We are going to have to get a lot more sophisticated in how we apply and use security with modern technologies both on a personal level and in business - there are remarkable similarities.
Whether it is a mother incensed that tagged images of her young daughter are uploaded without her permission or knowledge to sites like Flickr and Facebook after a children's party by other attendees, or banter on Twitter about the Mumbai attacks that could reveal position and status information to the attackers in real time, there are some difficult societal issues emerging.
We are in an era when information flow of all types is phenomenal. The shadow global financial markets have shown us how security sophistication enabled communication impenetrable to all but a few, with hugely negative and disruptive results. This is the negative side of a closed system which isn't being monitored and regulated effectively.
The counter flow in the IT world is the planned move to cloud services in large companies which undermines the power of the force field around the IT czar and their staff in the typical company. Monitoring and enforcing regulations is a key part of traditional IT.
Already grappling with firewalls penetrated by ever increasing numbers of connections to external customers, partners, employees and systems, 'traditional' IT has the same problem we all do in this era: flexible communication with viable security. The Facebook dilemma for people with multiple social circles is a more benign personal example - you're having a party on Saturday night, but you only want to invite your friends whose taste matches the musical theme of the evening. How do you create the social discretion needed for the intimate soiree, and prevent your uninvited friends getting upset when they see the party pics in your profile later?
It's almost as if we need personal security levels in our lives - different stages of information availability. Another Facebook example - the drunken escapade pictures in your profile don't play so well with the 300 new friends you've made since that incident, or with most potential employers, but you want to retain them for your friends who were with you that night and who tagged you in them. Facebook has security settings but most people don't know how to use them.
Transposing these issues to the typical company we have the classic problem. At one end of the spectrum is legacy security enforcement on enterprise class systems, at the other end ad hoc usage of modern browser based applications by business units who got up and running in minutes with an expensed credit card debit with 'software as a service'.
Neither are satisfactory security solutions - one is increasingly too rigid and inflexible, the other often perceived to be too loose and therefore a potential critical security leak.
With the incredible flexibility and connectedness of modern society by those who know how to use the tools, we are lagging in our understanding of creating appropriate security standards.
The western world prides itself on the concepts of open democracy. There is a commonsense element about revealing valuable information publicly which seems in short supply across a broad swathe of society right now. I wonder if 'security' will be on school curriculums in the future? It would certainly be a valuable lesson to learn for all walks of life.