Data security is not enough - we need provenance too
Just because the 'porn pirates' were on a database does not prove their guilt
Published 12:44, 29 September 10
There are at least two issues here, the first being that the data should have been encrypted, especially as it appears to hold some credit card details, as well as other personally identifiable information.
The second is the validity of the data - how do we know it proves anything about the behviour of the people registered to the cards?
There have been a number of cases where stolen credit card information and where unsecured wireless networks have been used by cyber criminals to download illegal material.
In essence, on the Internet no-one knows if you are who you say you are. It is relatively simple to impersonate other systems and buy other people’s credit card details (including CCVs), a botnet can take over your home or office systems and make it a hub for illegal file sharing and spam all without you knowing about it until the police turn up at your door, or the data gets leaked onto the net.
There is a huge need for stronger identity management, authentication, authorisation and data signing, so that data which is out there in the ether can be correctly attributed to the author (or creator of it) - and more importantly, the data which shouldn’t be associated with the alleged author can be quickly dismissed, before damaging reputations.
Data provenance is becoming an issue we all need to be concerned with. For the past two years The Jericho forum has concentrated on the cloud and secure working in it. While this problem hasn’t been completely solved, there are now a number of initiatives, such as the Cloud Security Alliance and ENISA which are providing practical guidelines to improve security.
The next big problem the Jericho Forum is working on is Identity and access management which will expand the opportunities for collaboration in the cloud while reducing the risks.
Guy Bunker, Jericho Forum board member