Skip to main content

Aligning Online Security Interests

There was an interesting discussion regarding the larger societal problems associated with the use of insecure online services over at Wade Woolwine's blog. This is a follow-on to the discussion by Jeremiah Grossman - regarding the alignment of interests in web security.

This discussion centered around the topic of how to align interests related to protecting online information. I have separated this problem into what I think are three important parts,
  1. Definition of common goals,
  2. Evaluation of online services against these definitions, and
  3. Education of consumers/clients/users of the product standards and evaluations.
As a security professional, I often use the metaphor of information security controls as they mirror the emergency brakes used car, in the fact that they are used as risk mitigation. The faster you want to get from A to B, the more robust brakes you need. In addition for the purposes of this discussion, for vehicles in Canada there is also a minimum standard of brake required to even be allowed on the street, and this contrasts to the security of online services where there is no minimum standard required.

As I discuss each of these, I will try to compare it to the Canadian vehicle industry where a very robust system (not perfect though) exists to help educate consumers to make smart security decisions about the cars they drive based on their regulated safety features.

Defining common security goals

Unlike the auto industry, online security has had a difficult time defining common language and standards for what a 'safe' online service would consist of. Payment Card Industry has one standard which pertains to a very small subset of data, and other regulations such as the Health Information Act and the Privacy Act offer some indirect guidance. For Automobiles, the Government under the authority of Transportation Canada provides very specific language as part of the Motor Vehicle Safety Act (MVSA). As you would expect, this act has very definitive instructions on what is required in terms of controls within the different classes of motor vehicles in Schedule III in order to comply with the requirements.

In contrast, the only instance I can find of Canadian federal government definitions of online service security goals would be for Privacy Act, and Personal Information Protection and Electronic Documents Acts. These laws are focused squarely on the collection and use of personal identifying information through electronic and non-electronic means, and do not address the delivery of any online services affecting commerce, media publications or any other online service we interact with.

There are many questions related to establishing a common definition of security goals. What are the risks to Canadian society, people and businesses through the use of unsafe online services, and how do we measure them? Is the current privacy legislation broad enough and strong enough to be effective at protecting Canadian people and businesses from the risks of connecting to online and electronic services? Is there a justifiable need to define more specific standards for the safety of online services to allow for them to be independently evaluated like cars are?

Evaluation of Products and Services

Crash tests and safety ratings are a part of the development of every automobile sold in Canada. Canadian manufacturers of these products spend a great deal of money and effort ensuring that their products will pass the minimum standards and they provide self-certification that they comply with the legislated requirements. Although I couldn't find a study to show it, I would imagine that the majority of Canadians would expect correctly that a vehicle purchased in Canada would be already compliant with these standards and thus feel comfortable in the fact that when they step on the brakes that the car will stop.

Again in contrast, there is no way for a Canadian to know whether an online service that they are interacting with is compliant with any online regulation or certification established to protect their interactions and dealings with the service. I would also expect that in a similar poll of Canadians that most would admit to being skeptical of the security and safety of transacting with many online services - even the Canadian government's own services - and that in many cases prevents them in utilizing these online services.

Is this level of skepticism related to online interactions acceptable to Canadian society? And is individual demands for the safety of the online services enough? If demands for vehicle safety were left to the consumer alone, would this be enough incentive to ensure vendors protect us?

Enforcement and Education

Transport Canada also provides some handy guidelines which explain the methods in which the regulations are enforced. These are very carefully worded and provide an excellent description of the objectives, roles and responsibilities of the various Government agencies in ensuring compliance with the regulations.

This is again entirely different when we look at the world of online security, yet this is also to be expected as the legislation, regulation and standardization have not been established. At the same time it does not take that much imagination to conceive of a similar arrangement for ensuring the standardization of online services provided by Canadian entities. Could we not have a set of criteria to which Canadian based organizations, public and private, design their services to be protected against? Is is too far fetched to think that we could have a national safety mark that we could use to certify online services?

Conclusion

Although my comparison of the risks related to use of unsafe automobiles to the risks of using unsafe online services may not be comparable in terms of scale (the risk to life is obviously more important than the risks of information compromise) but I also believe that the alignment of interests including government regulation, if properly designed and implemented, could offer Canadian's a distinct advantage in terms of reputation in the online world.

I would also argue that without these protections afforded average Canadians will continue to be impacted as our use of online services grow.

But there are also significant challenges in educating both the policy-makers and the public on the risks to insecure online services - how many unreported breaches and abuses of information should be tolerated before we act in this way? Is there a common language that can be developed to ensure that the scope and mandate are clear?

I welcome comments and questions from others on this topic.

Comments

code technology said…
Hey Mark, good post. It is useful to compare one set of safety expectations with those for information security, privacy and identity.

The one area where there is movement to define standard approaches is in identity management. The Pan-Canadian Strategy for Identity Management & Authentication includes a framework that addresses a lot of the foundation stuff necessary to, in the future, define the types of regulations you are referring to (at least in the identity space).

Full report is at: http://www.cio.gov.bc.ca/idm/idmatf/IdMAFinalReport.pdf

Mike
http://codetechnology.ca

Popular posts from this blog

Local Classified Penny Auction Scam

While there are a lot of new posts regarding the new ways to exploit people using novel techniques and 0day exploits, there continues to be a rash of tried and true methods of coercion.  I want to just walk through a simple example and reflect on how effective these methods continue to be. Many people turn toward online classified sites to buy and sell items online.  This example starts with kijiji.ca which even I've used on occasion to find used electronics and other items.  Doing a search on the site for a " Samsung Galaxy Note 2 " returns a posting from today with someone selling one for an unreasonably priced unit. $125 for a $500 phone?, but what if it's for real?  No harm in just asking some simple questions.  Email sent with some obvious questions regarding the condition and location. About an hour passes before I get a response from what appears to be a legit seller. Notice no answer to the questions I asked, but a friendly pointer at where th

Touch ID - Distributed Fingerprint Lookup

All the press regarding the new Touch ID fingerprint biometric on Apple's new iPhone has brought some insight into how to misuse this service.  Most of the critics have focused on circumventing the device to gain access or Apple deciding to share the data with the Government. One interesting perspective that I haven't seen covered yet is if the system could be used as a distributed matching system for existing fingerprint image systems.  In an over simplified view of the process, a law enforcement agency can take an acquired fingerprint and search for patterns in the database of collected prints and spit out possible matches. Although Apple states that an API won't be available for apps, it is conceivable that such an interface might exist, and provide the ability to take an acquired print (either from the iPhone hardware or from software) and check it for validity against the stored print. There are some limits to this, as there is likely only going to be one prin

Edmonton HeartBleed Information Session - April 16th, Royal Glenora Club

Since the latest major OpenSSL vulnerability was publicly disclosed, many people and organizations are scrambling to understand, respond and prepare themselves for the future.  Twitter, vendor support channels and media outlets have been quick to cover different angles of the issue but there has been overwhelming amount  of information released. With all this information, it can be difficult to understand what's relevant.  To help clarify we holding a special ISACA sponsored 2-hour session on Wednesday, April 16th, starting at 12:00pm at the Royal Glenora Club.   Benoit and I will be attempting to explain as much of the issue as we can from a technical and non-technical perspective, discussing the vulnerability, its scope with relation to our personal and professional lives and other related concerns such as our trust in the public PKI system.  The second hour we will be an interactive discussion about how others are dealing with problem, questions about related topics,