Finding the Silver Lining

By Guy Bunker

I spoke last week at the NATO NIAS2013 conference in Mons, Belgium. It was a great event with a thousand or so attendees, and my keynote was entitled ‘Finding the silver lining’. The theme of the conference was cloud computing and obviously our angle was around security. The session went well – with one of the largest screens I have ever used… needed directions to get from one side of the stage to the other. As with most of these relatively large events there are never too many questions from the audience at the end of the formal talk, rather it is the rush to the stage when you finish which make doing these events really interesting.

One of the points in my talk was about increased focus on ‘collaboration’ and the growing  need for a better understanding of organisational information;  including different types of information in question. Who will have access, where will they access it from and how will they access it along with the value it has to the organisation, the risks and associated consequences should it be compromised. For many organisations this is not known, let alone understood, and without this it is really difficult to make the decision as to whether the cloud is a good place to store or process the company’s information. I covered the golden rule of selecting a service provider which can be summed up in a single question: “Does the provider you are selecting have at least as much security as you would provide?” If the answer is ‘no’ then it’s probably time to select a different one! However, there is then the challenge that some of the people selecting the service don’t understand the security that their own organisation provides – so answering the question becomes impossible for many, unless they know where to get some help. Time for the IT department to step up to the plate and offer help and realise that enhancing cybersecurity really doesn’t undermine their job.

I also talked about policy and how it not only needs to be communicated and enforced, but that this needs to happen on a regular basis and to absolutely everyone. Security today is a dynamic operation which has to change to support new ways of working – there is no ‘set and forget’. Policy for the organisation needs to take into account cloud services and third party interactions; it needs to understand that different people have different expectations and understandings. The current generation of young adults share more information than is probably good for them. When we talk about NATO this includes the troops on the ground posting images from smartphones which have GPS coordinates. So, they need to be aware that this is happening… and how they prevent it. Just saying ‘don’t post pictures’ is pointless – as they will. 

Cloud computing, like social networking is here to stay and the real question is how quickly these new technologies can be fully embraced – in a secure manner. Thinking that they can be blocked is like an ostrich putting its head in the sand… just because you can’t see it, doesn’t mean it isn’t happening. The can of worms is open… and they’re not going back. (My slide with a can of worms did raise a few eyebrows!)

At the end of the talk I finished with the reality that ‘today’ not everything can or should go into the cloud. Often the security of a cloud service needs to be augmented to help protect the information – but this isn’t bad, just shows understanding of the issues and ‘care’ for the information. New technologies such as Adaptive Redaction enable more collaboration into the cloud by assuring only that the right information is shared. 

I finished with the line “When you leave the cloud… leave no trace… if you can!” and that was what prompted a long discussion after I left the stage with several members of the audience. (The discussion ended up being longer than the talk!) Much of it was around privacy, especially the blurring of information on the individual which is gathered through their electronic trails as well as things like CCTV. Would legislation help? Could we ever be sure that information held in a cloud service was ever deleted? Why couldn’t we set parameters on how long data would be held? Would there be a good assurance that only the right people saw the information? We didn’t reach any conclusions… just that we live in interesting times. The amount of information that is being created and shared is rocketing up and most people don’t understand the consequences of sharing *anything*. Until they do, the risks will continue to rise unabated. Maybe a topic for next year…