This week Amazon’s Simple Storage Service (S3) suffered a major outage that affected several websites that rely on the service. This is actually the second major outage for Amazon S3 this year. As a result of these and other reported outages, some companies will come to question whether they should pursue these new cloud-based services in the future. I agree with Nick Carr, whether you’re a startup looking to rely on the cloud almost exclusively for computing power and storage capacity or you’re a brick and mortar company who may want to use SaaS services for CRM or an online backup service, these outages should not scare companies away from cloud-based services. Outages are inevitable; no one, not the most sophisticated internal IT shops on Wall Street, or the largest service providers can offer 100% availability all the time. Amazon threw everything it had to fix the problem and was able to address the outage in several hours. How well would you be able to execute on your disaster recovery plan if you had a major outage?

Instead of avoiding cloud-based services, organizations need to be savvier about security and resiliency of the service provider. In fact, your organization may already be in pursuit of these services. Online backup is becoming a viable alternate to premise-based solutions for PC backup as well as remote office backup. Next will be a number of services related to information management such as online archiving and online records management and more online storage offerings to support low cost storage. Further down the road, there will also be hosted, multi-tenancy Exchange solutions. Get involved in these discussions. Don’t take it for granted that the potential service provider has hardened data centers that meet Tier III or Tier IV classifications (these classifications describe data center site infrastructure and topology, Tier IV is the highest rating), that your data is replicated to another data center, that your data is encrypted in flight and at rest and that the service provider has strong security measures in place so that administrators can support the infrastructure but not access or even see your organization’s information. Organizations should have consistent processes before, during and after the contracts have been signed.

And, when you ask about SLAs regarding resiliency, keep in mind that there will be some downtime for routine maintenance and that some unplanned downtime is inevitable. Consider a service provider that might boast about 99.9% availability (8 hours/year outage for 24x7). What is the difference between the following?

· 8 AM to 4 PM on the last Friday of the quarter

· Biweekly outages of 30 min at 4 AM local time

Timing and duration are more important than total downtime/outage.

Get involved in these discussions but be careful not to come off as the obstacle or as the doomsayer. Quite the opposite, you want to be seen as the enabler. Help the organization understand some of the potential risks but then help the organization define its resiliency requirements, security requirements, and risk tolerance. When the organization knows this, it can more confidently go out and select the right service provider, negotiate the appropriate SLAs and be prepared ahead of time with contingency plans for any potential service outages.

So another week, another travel nightmare.  This week I am in the DC area for a few days, than flying over to Ohio and then back home.  Staying in the DC/Northern Va area I made hotel reservations through our corporate Expedia account (which is now called Egencia BTW). Though it is fine for airline reservations, I regret it every time I make a hotel reservation on Expedia.  This time I reserved a room at the Virginian Suites. I had never heard of it, but it was only $158, which is really cheap for around here.  It had 3 stars and sounded good, so I booked it.

I arrived tonight and as I pulled up I have to say that I thought I made a good choice. It is a converted apartment building and every room is actually a studio type of apartment. It has free parking and is located near where I have meetings in Arlington. I gave my name at the desk and they had my reservation, looking good!  I was given keys to room 707 and headed on up.  I got to room 707 and tried to open the door.  No luck, the keys didn???t work. After a moment or two of trying to make the keys work, the door opens and the guy who is staying in the room wants to know what I am doing trying to get in. Well I was reminded of an old Robert Schimmel comedy routine and ran away from there as fast as I could. 

I went back down to the desk and told them what happened.  The woman at the desk apologized, she meant to write room 700, not 707.  While I am waiting for her to correct this and issue new keys, I am looking at the schedule of events at the hotel today.  That is when I notice that one of the main events of the day was a someone???s funeral!  Thats right, it seems the hotel is used for funerals in the area.  That just freaked me out.  Now I am getting Six Feet Under deja vu here.  I don???t know, call me squeamish, but I just don???t feel good about staying at a hotel that doubles as a funeral home. To top it off, the Internet access here sucks. It is so slow that I am watching the paint dry.  Maybe I should go down and catch a funeral or two while I wait for a page to load.  In any event, I think this will be the last time I stay here.  I just can???t wait for what the rest of this week brings!

So another week, another travel nightmare.  This week I am in the DC area for a few days, than flying over to Ohio and then back home.  Staying in the DC/Northern Va area I made hotel reservations through our corporate Expedia account (which is now called Egencia BTW). Though it is fine for airline reservations, I regret it every time I make a hotel reservation on Expedia.  This time I reserved a room at the Virginian Suites. I had never heard of it, but it was only $158, which is really cheap for around here.  It had 3 stars and sounded good, so I booked it.

I arrived tonight and as I pulled up I have to say that I thought I made a good choice. It is a converted apartment building and every room is actually a studio type of apartment. It has free parking and is located near where I have meetings in Arlington. I gave my name at the desk and they had my reservation, looking good!  I was given keys to room 707 and headed on up.  I got to room 707 and tried to open the door.  No luck, the keys didn’t work. After a moment or two of trying to make the keys work, the door opens and the guy who is staying in the room wants to know what I am doing trying to get in. Well I was reminded of an old Robert Schimmel comedy routine and ran away from there as fast as I could. 

I went back down to the desk and told them what happened.  The woman at the desk apologized, she meant to write room 700, not 707.  While I am waiting for her to correct this and issue new keys, I am looking at the schedule of events at the hotel today.  That is when I notice that one of the main events of the day was a someone’s funeral!  Thats right, it seems the hotel is used for funerals in the area.  That just freaked me out.  Now I am getting Six Feet Under deja vu here.  I don’t know, call me squeamish, but I just don’t feel good about staying at a hotel that doubles as a funeral home. To top it off, the Internet access here sucks. It is so slow that I am watching the paint dry.  Maybe I should go down and catch a funeral or two while I wait for a page to load.  In any event, I think this will be the last time I stay here.  I just can’t wait for what the rest of this week brings!

• GAO Privacy Report
• Technology Liberation Front
• Center for Democracy and Technology
• And how about an analysis of the Privacy Act from DOJ for background reasons?

Well, let’s talk about how privacy and the Government works with Uncle Rybolov (please hold the references to Old Weird Uncle Harold until we’re through with today’s lesson please).

We have a law, the Privacy Act of 1974.  Think about it, what significant privacy-wrenching activities happened just a couple of years prior?  Can we say “Watergate Scandal“?  Can we say “Church Committee“?  Suffice it to say, the early 1970s was an era filled with privacy issues and is where most of our privacy policy and law comes from.  Remember this for later:  this was the 1970’s!

Each of the various sections of the Privacy Act deals with a particular data type.  For instance, Title 13 refers to data collected by the Census Bureau when they’ll go count everybody in 2010.

The Privacy Act talks about the stuff that everybody in the Government needs to know about:  how you’re going to jail if you disclose this information to a third party.  For those of you who have ever been in the military or had to fill out a government form that required your social security number, the light in the back of your head should be going off right now because they all have the warnings about disclosure.

Remember to respect the privacy of the beach huts and chairs photo by Joe Shlabotnik

When it comes to IT security, the Privacy Act works like this:

• You realize a need to collect PII on individuals.
• You do a privacy impact assessment to determine if you can legally collect this data and what the implications of collecting the data are.
• You build rules about what you can do normally with the data once you have collected it.  This is called the “routine use”.
• You write a report on how, why, and about whom you’re collecting this information.  This is known as the “System of Record Notice”.
• You file this report with the Federal Register to notify the public.
• This IT system becomes the authoritative source of that information.

IE, no secret dossiers on the public.  We’ll suspend our disbelief in FISA for a minute, this conversation is about non-intelligence data collection.

Now the problem with all this is that if you stop and think about it, I was 1 year old when the Privacy Act was signed.  Our technology for information sharing has gone above and beyond that.  We can exchange data much much much more quickly than the Privacy Act originally intended.  As a result, we have PII everywhere.  Most of the PII is needed to provide services to the citizens, except that it’s a royal PITA to protect it all, and that’s the lesson of the past 2 years in Government data breaches.

Problems with the Privacy Act:

• The SORN is hard to read and is not easy to find.
• Privacy Act data given to contractors or “business partners” (aka, state and local government or NGOs) does not have the same amount of oversight as it does in the Government.
• Data given to the Government by a third-party is not susceptible to the Privacy Act because the Government did not collect it.  Wow, lots of room for abuse–waterboarding-esque abuse.
• Privacy Act procedures were written for mainframes.  Mainframes have been replaced with clusters of servers.  It’s easy to add a new server to this setup.  Yes, this is a feature.
• If you build a new system with the same data types and routine uses as an already existing SORN, you can “piggyback” on that existing SORN.
• It’s very easy to use the data in a way that isn’t on your “routine use” statement, thus breaking the entire privacy system.

Obviously, at this point, you should have gotten the hint that maybe we need to revise the Privacy Act.  I think GAO and OMB would agree with you here.

So, what alternatives do we have to the existing system?

• Make blanket data types and do a PIA and SORN on them regardless of where that data lies.
• Bend the Paperwork Reduction act and OMB guidance so that we don’t collect as much information.
• Make the Privacy Act more specific on what should be in SORN, PIA, and routine use statements.

To be honest, it seems like most of this is already in place, it just needs to get tuned a little bit so we’re doing the right things.  Once again, the scale of the Government’s IT infrastructure is keeping us from doing the right thing:    there isn’t enough time in the day to do PIAs on a per-server basis or to keep track of every little bit of data.  You have to automate our privacy efforts in some fashion.

And this is why, dear readers, I think the Government needs DLP solutions more than the private sector does.  Too bad the DLP vendors are stuck on credit cards and social security numbers.

Bookmark to:

There are also a lot of errors and misconceptions. With its aggressive advertising campaign and a CEO who publishes his Social Security number and dares people to steal his identity -- Todd Davis, 457-55-5462 -- LifeLock is a company that's easy to hate. But the company's story has some interesting security lessons, and it's worth understanding in some detail.

In December 2003, as part of the Fair and Accurate Credit Transactions Act, or Facta, credit bureaus were forced to allow you to put a fraud alert on their credit reports, requiring lenders to verify your identity before issuing a credit card in your name. This alert is temporary, and expires after 90 days. Several companies have sprung up -- LifeLock, Debix, LoudSiren, TrustedID -- that automatically renew these alerts and effectively make them permanent.

This service pisses off the credit bureaus and their financial customers. The reason lenders don't routinely verify your identity before issuing you credit is that it takes time, costs money and is one more hurdle between you and another credit card. (Buy, buy, buy -- it's the American way.) So in the eyes of credit bureaus, LifeLock's customers are inferior goods; selling their data isn't as valuable. LifeLock also opts its customers out of pre-approved credit card offers, further making them less valuable in the eyes of credit bureaus.

And, so began a smear campaign on the part of the credit bureaus. You can read their points of view in this New York Times article, written by a reporter who didn't do much more than regurgitate their talking points. And the class action lawsuits have piled on, accusing LifeLock of deceptive business practices, fraudulent advertising and so on. The biggest smear is that LifeLock didn't even protect Todd Davis, and that his identity was allegedly stolen.

It wasn't. Someone in Texas used Davis's SSN to get a $500 advance against his paycheck. It worked because the loan operation didn't check with any of the credit bureaus before approving the loan -- perfectly reasonable for an amount this small. The payday-loan operation called Davis to collect, and LifeLock cleared up the problem. His credit report remains spotless.

The Experian credit bureau's lawsuit basically claims that fraud alerts are only for people who have been victims of identity theft. This seems spurious; the text of the law states that anyone "who asserts a good faith suspicion that the consumer has been or is about to become a victim of fraud or related crime" can request a fraud alert. It seems to me that includes anybody who has ever received one of those notices about their financial details being lost or stolen, which is everybody.

As to deceptive business practices and fraudulent advertising -- those just seem like class action lawyers piling on. LifeLock's aggressive fear-based marketing doesn't seem any worse than a lot of other similar advertising campaigns. My guess is that the class action lawsuits won't go anywhere.

In reality, forcing lenders to verify identity before issuing credit is exactly the sort of thing we need to do to fight identity theft. Basically, there are two ways to deal with identity theft: Make personal information harder to steal, and make stolen personal information harder to use. We all know the former doesn't work, so that leaves the latter. If Congress wanted to solve the problem for real, one of the things it would do is make fraud alerts permanent for everybody. But the credit industry's lobbyists would never allow that.

LifeLock does a bunch of other clever things. They monitor the national address database, and alert you if your address changes. They look for your credit and debit card numbers on hacker and criminal websites and such, and assist you in getting a new number if they see it. They have a million-dollar service guarantee -- for complicated legal reasons, they can't call it insurance -- to help you recover if your identity is ever stolen.

But even with all of this, I am not a LifeLock customer. At $120 a year, it's just not worth it. You wouldn't know it from the press attention, but dealing with identity theft has become easier and more routine. Sure, it's a pervasive problem. The Federal Trade Commission reported that 8.3 million Americans were identity-theft victims in 2005. But that includes things like someone stealing your credit card and using it, something that rarely costs you any money and that LifeLock doesn't protect against. New account fraud is much less common, affecting 1.8 million Americans per year, or 0.8 percent of the adult population. The FTC hasn't published detailed numbers for 2006 or 2007, but the rate seems to be declining.

New card fraud is also not very damaging. The median amount of fraud the thief commits is $1,350, but you're not liable for that. Some spectacularly horrible identity-theft stories notwithstanding, the financial industry is pretty good at quickly cleaning up the mess. The victim's median out-of-pocket cost for new account fraud is only $40, plus ten hours of grief to clean up the problem. Even assuming your time is worth $100 an hour, LifeLock isn't worth more than $8 a year.

And it's hard to get any data on how effective LifeLock really is. They've been in business three years and have about a million customers, but most of them have joined up in the last year. They've paid out on their service guarantee 113 times, but a lot of those were for things that happened before their customers became customers. (It was easier to pay than argue, I assume.) But they don't know how often the fraud alerts actually catch an identity thief in the act. My guess is that it's less than the 0.8 percent fraud rate above.

LifeLock's business model is based more on the fear of identity theft than the actual risk.

It's pretty ironic of the credit bureaus to attack LifeLock on its marketing practices, since they know all about profiting from the fear of identity theft. Facta also forced the credit bureaus to give Americans a free credit report once a year upon request. Through deceptive marketing techniques, they've turned this requirement into a multimillion-dollar business.

Get LifeLock if you want, or one of its competitors if you prefer. But remember that you can do most of what these companies do yourself. You can put a fraud alert on your own account, but you have to remember to renew it every three months. You can also put a credit freeze on your account, which is more work for the average consumer but more effective if you're a privacy wonk -- and the rules differ by state. And maybe someday Congress will do the right thing and put LifeLock out of business by forcing lenders to verify identity every time they issue credit in someone's name.

This essay originally appeared in Wired.com.