They used this visit to announce their new party policy on protections against identity fraud. At present, credit rating companies are exempt from aspects of the Data Protection Act and can forward personal information about an individual’s financial history to companies without the subject’s consent. Clegg proposes to give individuals the rights to “freeze” their credit records, making it more difficult for fraudsters to impersonate others.

See also the Cambridge Evening News article and video interview.

One of the main problems in counterterrorism today is that there are so many people and vehicles, and so much data and material, moving through globalization's myriad networks that it seems virtually impossible to track it all effectively. Nowhere has this problem been more acute than on the high seas.

In 2006, Adm. Harry Ulrich, then U.S. commander of NATO Naval Forces Europe, decided to do something about it. Despite having virtually no resources, his dream was to transpose the global air-traffic control system onto sea traffic.

Worldwide, aircraft are transparent, because they're all required to carry an identification beacon that allows them to be tracked leaving and entering airports, and monitored between airports, by a global network of sensors. Act suspiciously and somebody's fighter aircraft will soon be on your tail.

No such pervasive system currently exists globally for maritime traffic. While bigger ships carry an ID beacon similar to aircraft, without a shared monitoring network, that's like tracking only selected commercial jets and giving everyone else a pass.
So Ulrich, upon taking command, asked a simple question: "If we can do that in the air, why can't we do it on the sea?" He made a point of pioneering his sea-traffic-control effort first inside the Mediterranean, where NATO's southern naval forces have historically been concentrated, but his real target was waters off Africa -- the most ungoverned maritime space in the world.

Ulrich knew the U. S. Navy couldn't do it alone, much less bring Africa's meager coast-guard-like navies up to snuff so they could do it on their own. So he quickly created a network of assets -- both public and private -- to manage that space, modeling his monitoring system on international air-traffic control.

Ulrich began stitching together a network of shore-based sensors ringing the Mediterranean. His naval command then began initial monitoring by tapping into the International Maritime Organization's existing Automated Identification System, transforming NATO's ability to track ship traffic in the Med.

Almost overnight, NATO went from tracking dozens of ships on the Mediterranean to thousands, and instead of getting the data sometimes up to 72 hours late, now the contacts were being tracked in one to five minutes -- to an accuracy within 50 feet on the earth's surface.

When the classic big-firm systems integrators told Ulrich it would be too costly to pull it off, the admiral turned to the Volpe Center in Cambridge, Massachusetts, a U.S. Department of Transportation research center. Instead of hundreds of millions of dollars, Ulrich's initial network cost $900,000. The shore-based receivers are small, roughly the size of a radar dish you might find on a pleasure craft.

The strength of the system is a function of its reach: the more countries join, the larger the shared operational picture. By the time Ulrich retired at the end of 2007, he had enlisted 32 countries throughout the Mediterranean, the North Atlantic, along the west coast of Africa, around the Black Sea, and in the Pacific. Today, the network continues to spread around the planet.

With Ulrich's system in place, local police, coast guards, and border patrols catch most bad guys, obviating American military responses. As Harry told me for an article I wrote about his work in a fall 2007 issue of Esquire, "I don't do defense; I do security. When you talk defense, you talk containment and mutually assured destruction. When you talk security, you talk collaboration and networking. This is the future."

The admiral's legacy program, the Maritime Safety and Security Information System, earned the Volpe Center a prestigious "Innovations in American Government" award this month from Harvard University's Ash Institute for Democratic Governance and Innovation.

• Moderator: Nick Hoover, Senior Editor, InformationWeek
• Speaker - Anne Berkowitch, Co-Founder & CEO, SelectMinds
• Speaker - J.B. Holston, CEO and President, NewsGator
• Speaker - Umberto Milletti, CEO, InsideView

Businesses can take advantage of social networks by finding innovative ways to reach out to people. Looking at who you know and how you know them can benefit you. Knowing a personal connection to someone that you are trying to contact (for sales) is helpful. The blurring between home, personal, and business life is making this information more available and better able to leverage. People are able to capture more valuable long term information from social networks.

A lot of social network applications can be taken from the talent management space. Deploying alumni networks as a talent source is also a great asset. Alumni represent a well-known and relevant population. This provides a great economic benefit from a social network.

If you are running a sales organization and looking at building a pipeline of leads, consider how these leads are relevant. The ability to get more leads is apparent in finding the right person, right connection, and right contact. Underlying everything are productivity and efficiency. How much time are sales reps spending researching and pursuing each opportunity? With information on social networks, the time can be greatly decreased. Knowledge sharing is something that can be actively measured.

The ROI varies with the business issue that’s trying to be addressed by a particular network. Recruiting for example has a very concrete, measurable ROI. Knowledge share gets a little more tricky. How do you measure how much is shared and the impact on business systems? Businesses need to determine what specific goal they are trying to address.

CFOs want to see ROI, not intuitive information. If you can demonstrate engagement and participation in these networks and knowledge sharing tools, more and more executives are getting comfortable seeing how it’s used at a qualitative and process level. It’s a very case by case basis.

One major crisis that we see in our customers is the competition between sales and marketing. Each wants to do their own thing, they go together like oil and water. However, the push of the economy is now forcing them work together. This is a great opportunity for IT to step in and help them collaborate and be more productive.

Other resistance from companies are how to manage what they are trying to accomplish while still giving employees free reign of sites like Facebook. What are the incentives for using these technologies? How does it fit into your company culture and productivity scale? You must bring meaning to the structure of engaging in social networks.

Social networks like LinkedIn and Facebook would not exist if people did not contribute information to them. However, if people don’t know that it is there, it does not exist. People need to see the value and get drawn in to engage. There are two ways that companies get into social networks. Tie it into the business process. The general idea of social networks are intuitive and easy to understand, which make it an easier case to present to chief executives. Make it clear - how do you go about it and what’s the value?

Social networks are intrinsically about extending the network, the more contacts you have, the more to choose from when researching a specific contact. It also has to be integrated into your dataworkflow. Companies are going to build a variety of networks inside and outside the enterprise. The big companies (SAP, IBM) are all rushing to offer collaborative and social network functionality. However, this is not entirely useful unless it’s integrated into the entire infrastructure.

Blogger: Trent Henry

Burton Group’s Catalyst Europe conference is just around the corner. With financial services industry failures at the top of everyone’s mind, now’s a great time to revisit how risk management shortcomings have tremendous impact on organizations of every kind. In a reprise of his insightful Catalyst North America talk, Nick Leeson will once again detail how inadequate controls (and foolish actions on his part) brought about the fall of Barings Bank. In addition, security conversations at Catalyst will include:

- How large enterprises are grappling with governance, risk, and compliance (and why “GRC” is actually a four-letter word)
- What large, distributed organizations are doing to create effective “security embassies”
- The role of metrics in managing protection and communicating with Management
- How information-centric security will unfold over the next five years

This week Amazon’s Simple Storage Service (S3) suffered a major outage that affected several websites that rely on the service. This is actually the second major outage for Amazon S3 this year. As a result of these and other reported outages, some companies will come to question whether they should pursue these new cloud-based services in the future. I agree with Nick Carr, whether you’re a startup looking to rely on the cloud almost exclusively for computing power and storage capacity or you’re a brick and mortar company who may want to use SaaS services for CRM or an online backup service, these outages should not scare companies away from cloud-based services. Outages are inevitable; no one, not the most sophisticated internal IT shops on Wall Street, or the largest service providers can offer 100% availability all the time. Amazon threw everything it had to fix the problem and was able to address the outage in several hours. How well would you be able to execute on your disaster recovery plan if you had a major outage?

Instead of avoiding cloud-based services, organizations need to be savvier about security and resiliency of the service provider. In fact, your organization may already be in pursuit of these services. Online backup is becoming a viable alternate to premise-based solutions for PC backup as well as remote office backup. Next will be a number of services related to information management such as online archiving and online records management and more online storage offerings to support low cost storage. Further down the road, there will also be hosted, multi-tenancy Exchange solutions. Get involved in these discussions. Don’t take it for granted that the potential service provider has hardened data centers that meet Tier III or Tier IV classifications (these classifications describe data center site infrastructure and topology, Tier IV is the highest rating), that your data is replicated to another data center, that your data is encrypted in flight and at rest and that the service provider has strong security measures in place so that administrators can support the infrastructure but not access or even see your organization’s information. Organizations should have consistent processes before, during and after the contracts have been signed.

And, when you ask about SLAs regarding resiliency, keep in mind that there will be some downtime for routine maintenance and that some unplanned downtime is inevitable. Consider a service provider that might boast about 99.9% availability (8 hours/year outage for 24x7). What is the difference between the following?

· 8 AM to 4 PM on the last Friday of the quarter

· Biweekly outages of 30 min at 4 AM local time

Timing and duration are more important than total downtime/outage.

Get involved in these discussions but be careful not to come off as the obstacle or as the doomsayer. Quite the opposite, you want to be seen as the enabler. Help the organization understand some of the potential risks but then help the organization define its resiliency requirements, security requirements, and risk tolerance. When the organization knows this, it can more confidently go out and select the right service provider, negotiate the appropriate SLAs and be prepared ahead of time with contingency plans for any potential service outages.

First of all, I’d like to point out a major difference between the Gartner conference and the big Cisco Live user conference going on down here at the same time. Keynotes start at 8am at the Gartner show – and before that is breakfast, networking, etc. etc. John Chambers’ keynote over at Cisco Live starts at 10am. 8am versus 10am. I knew there was a reason I should have been a network engineer…

But here’s something they don’t have at Cisco Live – VP & Distinguished Analyst Thomas Bittman talking about Cloud Computing and the Future of Infrastructure.

(Picture credit: WATBlog)

Point: The idea is that it’s complex to create computing power so we should centralize it among a few providers (Google, Amazon, ebay) to gain economies of scale. Ability to drive down price by centralizing and getting to scale is just too compelling. In this scenario, computing is a commodity; IT is a commodity. Remember Nick Carr’s controversial book, “Does IT Matter”?

Gartner Counterpoint: IT is not a commodity because of constant innovation. So it’s not about a big investment in old/stagnating technology but more about developing and investing in agility. There will be not a few cloud computing providers but thousands.

A quick definition of Cloud Computing by Gartner: a style of computing where massively scalable IT-enabled capabilities are delivered as a service to external customers using Internet technologies.

Cloud Computing Drivers:

• connections are becoming pervasive (anywhere, anytime)
• response time expectations are shrinking
• relationships are online and short-lived

Tom Bittman shared a view of the evolution of the data center – from “Silos to Clouds”. Prior to about 2002, data centers were sprawled siloed organizations focused on component management. Over time, hardware cost went down, flexibility is up spurred by technologies like virtualization and creating fluid pools of capacity that can be moved around intelligently. What we are moving towards is automated, services-oriented environment in data centers that are focused on enabling agility. Ecco Cloud Computing!

Gartner predictions:

• By 2012, 80% of the Fortune 100 will be paying for some cloud computing services, and
• 30% will be paying for cloud computing infrastructure services.

ShareThis

Several weeks on and I'm still digesting the massive amount of information and insight from the second European identity conference in Munich, organized by Kuppinger Cole. Five days chock-full of content (7 am to 7 pm every day!), 50 exhibitors, 130 speakers, four workshop tracks, five theme tracks, and 25 best-practice sessions. Hundreds of delegates showed up from all over, even though Infosecurity 2008 was raging in London the same week. EIC 2008 was a superbly run event, with the seemingly inexhaustible Martin Kuppinger at the center of the storm.

It's difficult to sum up the content: Internet-scale identity, identity-driven security, federation, single sign-on (SSO), provisioning, context-based authentication, mobile and user-centric identity, SOA, entitlement management, and information risk management all commanded their own tracks. But some unifying themes emerged, chief among them that well-planned and -implemented identity and access management (IAM) is increasingly a must-have if we want to have effective information security, information risk management, and even GRC in today's and tomorrow's enterprises. 2008 may not be the tipping point for IAM, but we're getting close. A few highlights:

• It seemed that every third presentation contained the words "Société Générale" or "Jérôme Kerviel". Nothing like an(other) egregious breach of policy, procedure, and trust to concentrate the mind! Suddenly everyone is rediscovering the Barings debacle of a decade ago and recalling the name "Nick Leeson" — and realizing that, while we have made great technological strides in the past decade, all too often the people and process elements get short shrift. (If the control framework breaks down, it matters little what tech was used to enact it...). So while there was plenty of forward-looking technology-centric discussion, the thread of policy and process ran through every conversation — there was even an entire track session devoted to avoiding internal fraud via rogue trading and the changing threat landscape.
• A lot of the Identity 2.0 discussion was still quite fuzzy. There was little agreement on what mobile identity really means and how companies offering consumer services can provide it to customers, and what the role of mobile operators (who at the moment look like the weak link in the security chain) might ultimately be. User-centric identity is a great idea, but needs to be implemented in a way that gives users meaningful control over their identities and associated credentials in a way that doesn't also shift all of the liability for financial fraud (identity abuse) from institutions to individuals. This has significant implications for things like mobile commerce.
• There was a great physical/logical convergence case study from City College Coventry (UK), which is providing converged smart-card credentials to more than 10,000 students and staff. The card will function as an ID badge across the College, parking pass, building pass, cashless payment card, library card, etc. It will also be required to use any computer, printer, or photocopier connected to the College's network, and will allow lecturers secure access to classroom resources. The College does have the luxury of setting up this system in the context of moving to brand-new facilities, but it shows that if the IT and physical security folks can agree to pull in the same direction, convergence is a wholly attainable goal.
• Results of an enterprise IAM study were presented; one of the most troubling findings was that half of the respondents reported that their biggest obstacle to implementing IAM was that the business was just not ready for it. User management is often in place, but downstream functions like auditing and monitoring are still far from mature in a holistic IAM context. Firms also report big gaps between expected and actual benefits from implementing IAM. That last bit is one reason we advise not trying to do it all at once; rather, break a planned IAM implementation into manageable project chunks, focusing on one set of short-term, tangible, demonstrable benefits at a time.

One panelist put it best: Technology maturity and integration are all well and good, but we need workflow integration and organizational maturity. The need to implement IAM provides an opportunity to share information, define new policies and processes, and streamline existing ones. The CEO and CIO/CSO/CISO need to sit at the same table, commit to eliminating organizational silos, and devise a cooperative approach.

Being commanded about by the child-monster has slowed down my news consumption. So, big thanks to Portswigger for the heads up. Apparently the UK gov’t wants to set the new detention limit without charges to 42 days. This has triggered a firestorm.

From BBC:

Shadow home secretary David Davis has resigned as an MP.

He is to force a by-election in his Haltemprice and Howden constituency which he will fight on the issue of the new 42-day terror detention limit.

Mr Davis told reporters outside the House of Commons he believed his move was a “noble endeavour” to stop the erosion of British civil liberties.

The 59-year-old is one of the best known Tory MPs and his resignation came as a complete surprise in Westminster.

He told reporters outside the Commons: “I will argue in this by-election against the slow strangulation of fundamental British freedoms by this government.”

BBC Political Editor Nick Robinson said it was an extraordinary move which was almost without precedent in British politics.

Read on.

Article Link

TJX Companies, the mammoth US retailer whose substandard security led to the world’s biggest credit card heist, has fired an employee after he left posts in an online forum that made disturbing claims about security practices at the store where he worked.

Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas, that employees were able to log onto company servers using blank passwords, the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards. Benson said he was fired on Wednesday after managers said he disclosed confidential company information online.

Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers. He said he brought the security issues to the attention of a district loss prevention manager name Allen in late 2006, and repeatedly discussed them with store managers. Except for a stretch when IT managers temporarily tightened password policies, the problems went unfixed.

So happy shiny Liquidmatrix Security Digest readership…

Is he a Blogtard or a Hero?

… and do you have a published, communicated, and monitored employee policy on blogging about your company?

Tags: TJX, Blogtard, Whistleblower, Internet Asshattery