Skip to main content

Aligning Online Security Interests

There was an interesting discussion regarding the larger societal problems associated with the use of insecure online services over at Wade Woolwine's blog. This is a follow-on to the discussion by Jeremiah Grossman - regarding the alignment of interests in web security.

This discussion centered around the topic of how to align interests related to protecting online information. I have separated this problem into what I think are three important parts,
  1. Definition of common goals,
  2. Evaluation of online services against these definitions, and
  3. Education of consumers/clients/users of the product standards and evaluations.
As a security professional, I often use the metaphor of information security controls as they mirror the emergency brakes used car, in the fact that they are used as risk mitigation. The faster you want to get from A to B, the more robust brakes you need. In addition for the purposes of this discussion, for vehicles in Canada there is also a minimum standard of brake required to even be allowed on the street, and this contrasts to the security of online services where there is no minimum standard required.

As I discuss each of these, I will try to compare it to the Canadian vehicle industry where a very robust system (not perfect though) exists to help educate consumers to make smart security decisions about the cars they drive based on their regulated safety features.

Defining common security goals

Unlike the auto industry, online security has had a difficult time defining common language and standards for what a 'safe' online service would consist of. Payment Card Industry has one standard which pertains to a very small subset of data, and other regulations such as the Health Information Act and the Privacy Act offer some indirect guidance. For Automobiles, the Government under the authority of Transportation Canada provides very specific language as part of the Motor Vehicle Safety Act (MVSA). As you would expect, this act has very definitive instructions on what is required in terms of controls within the different classes of motor vehicles in Schedule III in order to comply with the requirements.

In contrast, the only instance I can find of Canadian federal government definitions of online service security goals would be for Privacy Act, and Personal Information Protection and Electronic Documents Acts. These laws are focused squarely on the collection and use of personal identifying information through electronic and non-electronic means, and do not address the delivery of any online services affecting commerce, media publications or any other online service we interact with.

There are many questions related to establishing a common definition of security goals. What are the risks to Canadian society, people and businesses through the use of unsafe online services, and how do we measure them? Is the current privacy legislation broad enough and strong enough to be effective at protecting Canadian people and businesses from the risks of connecting to online and electronic services? Is there a justifiable need to define more specific standards for the safety of online services to allow for them to be independently evaluated like cars are?

Evaluation of Products and Services

Crash tests and safety ratings are a part of the development of every automobile sold in Canada. Canadian manufacturers of these products spend a great deal of money and effort ensuring that their products will pass the minimum standards and they provide self-certification that they comply with the legislated requirements. Although I couldn't find a study to show it, I would imagine that the majority of Canadians would expect correctly that a vehicle purchased in Canada would be already compliant with these standards and thus feel comfortable in the fact that when they step on the brakes that the car will stop.

Again in contrast, there is no way for a Canadian to know whether an online service that they are interacting with is compliant with any online regulation or certification established to protect their interactions and dealings with the service. I would also expect that in a similar poll of Canadians that most would admit to being skeptical of the security and safety of transacting with many online services - even the Canadian government's own services - and that in many cases prevents them in utilizing these online services.

Is this level of skepticism related to online interactions acceptable to Canadian society? And is individual demands for the safety of the online services enough? If demands for vehicle safety were left to the consumer alone, would this be enough incentive to ensure vendors protect us?

Enforcement and Education

Transport Canada also provides some handy guidelines which explain the methods in which the regulations are enforced. These are very carefully worded and provide an excellent description of the objectives, roles and responsibilities of the various Government agencies in ensuring compliance with the regulations.

This is again entirely different when we look at the world of online security, yet this is also to be expected as the legislation, regulation and standardization have not been established. At the same time it does not take that much imagination to conceive of a similar arrangement for ensuring the standardization of online services provided by Canadian entities. Could we not have a set of criteria to which Canadian based organizations, public and private, design their services to be protected against? Is is too far fetched to think that we could have a national safety mark that we could use to certify online services?


Although my comparison of the risks related to use of unsafe automobiles to the risks of using unsafe online services may not be comparable in terms of scale (the risk to life is obviously more important than the risks of information compromise) but I also believe that the alignment of interests including government regulation, if properly designed and implemented, could offer Canadian's a distinct advantage in terms of reputation in the online world.

I would also argue that without these protections afforded average Canadians will continue to be impacted as our use of online services grow.

But there are also significant challenges in educating both the policy-makers and the public on the risks to insecure online services - how many unreported breaches and abuses of information should be tolerated before we act in this way? Is there a common language that can be developed to ensure that the scope and mandate are clear?

I welcome comments and questions from others on this topic.


code technology said…
Hey Mark, good post. It is useful to compare one set of safety expectations with those for information security, privacy and identity.

The one area where there is movement to define standard approaches is in identity management. The Pan-Canadian Strategy for Identity Management & Authentication includes a framework that addresses a lot of the foundation stuff necessary to, in the future, define the types of regulations you are referring to (at least in the identity space).

Full report is at:


Popular posts from this blog

OpenSolaris, ZFS, iSCSI and OSX - Creative Storage - Part II

In part I of this post, I looked at the simple steps required to setup a relatively simple storage solution using OpenSolaris, ZFS, iSCSI and OSX. This was about a month ago, and I've made some significant changes on how this is used for me. At the end of the last post I left off on the part dealing with configuration of the iSCSI initiator side of the solution. I stopped here because there were some issues related to the installation and use of the software. The iSCSI initiator that I was using was Studio Network Solutions GlobalSAN initiator (version which is used to allow for connections to their products. This software will also allow for connections to ANY iSCSI target! After the configuration of the iSCSI target on the ZFS pool, and installation of the client it was trivial to get the connection established with the storage pool, and it showed up in OSX as a raw disk which had not been formatted. I proceeded to format the disk as HFS+ and it then mounted as a lo

Local Classified Penny Auction Scam

While there are a lot of new posts regarding the new ways to exploit people using novel techniques and 0day exploits, there continues to be a rash of tried and true methods of coercion.  I want to just walk through a simple example and reflect on how effective these methods continue to be. Many people turn toward online classified sites to buy and sell items online.  This example starts with which even I've used on occasion to find used electronics and other items.  Doing a search on the site for a " Samsung Galaxy Note 2 " returns a posting from today with someone selling one for an unreasonably priced unit. $125 for a $500 phone?, but what if it's for real?  No harm in just asking some simple questions.  Email sent with some obvious questions regarding the condition and location. About an hour passes before I get a response from what appears to be a legit seller. Notice no answer to the questions I asked, but a friendly pointer at where th

Edmonton HeartBleed Information Session - April 16th, Royal Glenora Club

Since the latest major OpenSSL vulnerability was publicly disclosed, many people and organizations are scrambling to understand, respond and prepare themselves for the future.  Twitter, vendor support channels and media outlets have been quick to cover different angles of the issue but there has been overwhelming amount  of information released. With all this information, it can be difficult to understand what's relevant.  To help clarify we holding a special ISACA sponsored 2-hour session on Wednesday, April 16th, starting at 12:00pm at the Royal Glenora Club.   Benoit and I will be attempting to explain as much of the issue as we can from a technical and non-technical perspective, discussing the vulnerability, its scope with relation to our personal and professional lives and other related concerns such as our trust in the public PKI system.  The second hour we will be an interactive discussion about how others are dealing with problem, questions about related topics,