Skip to main content

Aligning Online Security Interests

There was an interesting discussion regarding the larger societal problems associated with the use of insecure online services over at Wade Woolwine's blog. This is a follow-on to the discussion by Jeremiah Grossman - regarding the alignment of interests in web security.

This discussion centered around the topic of how to align interests related to protecting online information. I have separated this problem into what I think are three important parts,
  1. Definition of common goals,
  2. Evaluation of online services against these definitions, and
  3. Education of consumers/clients/users of the product standards and evaluations.
As a security professional, I often use the metaphor of information security controls as they mirror the emergency brakes used car, in the fact that they are used as risk mitigation. The faster you want to get from A to B, the more robust brakes you need. In addition for the purposes of this discussion, for vehicles in Canada there is also a minimum standard of brake required to even be allowed on the street, and this contrasts to the security of online services where there is no minimum standard required.

As I discuss each of these, I will try to compare it to the Canadian vehicle industry where a very robust system (not perfect though) exists to help educate consumers to make smart security decisions about the cars they drive based on their regulated safety features.

Defining common security goals

Unlike the auto industry, online security has had a difficult time defining common language and standards for what a 'safe' online service would consist of. Payment Card Industry has one standard which pertains to a very small subset of data, and other regulations such as the Health Information Act and the Privacy Act offer some indirect guidance. For Automobiles, the Government under the authority of Transportation Canada provides very specific language as part of the Motor Vehicle Safety Act (MVSA). As you would expect, this act has very definitive instructions on what is required in terms of controls within the different classes of motor vehicles in Schedule III in order to comply with the requirements.

In contrast, the only instance I can find of Canadian federal government definitions of online service security goals would be for Privacy Act, and Personal Information Protection and Electronic Documents Acts. These laws are focused squarely on the collection and use of personal identifying information through electronic and non-electronic means, and do not address the delivery of any online services affecting commerce, media publications or any other online service we interact with.

There are many questions related to establishing a common definition of security goals. What are the risks to Canadian society, people and businesses through the use of unsafe online services, and how do we measure them? Is the current privacy legislation broad enough and strong enough to be effective at protecting Canadian people and businesses from the risks of connecting to online and electronic services? Is there a justifiable need to define more specific standards for the safety of online services to allow for them to be independently evaluated like cars are?

Evaluation of Products and Services

Crash tests and safety ratings are a part of the development of every automobile sold in Canada. Canadian manufacturers of these products spend a great deal of money and effort ensuring that their products will pass the minimum standards and they provide self-certification that they comply with the legislated requirements. Although I couldn't find a study to show it, I would imagine that the majority of Canadians would expect correctly that a vehicle purchased in Canada would be already compliant with these standards and thus feel comfortable in the fact that when they step on the brakes that the car will stop.

Again in contrast, there is no way for a Canadian to know whether an online service that they are interacting with is compliant with any online regulation or certification established to protect their interactions and dealings with the service. I would also expect that in a similar poll of Canadians that most would admit to being skeptical of the security and safety of transacting with many online services - even the Canadian government's own services - and that in many cases prevents them in utilizing these online services.

Is this level of skepticism related to online interactions acceptable to Canadian society? And is individual demands for the safety of the online services enough? If demands for vehicle safety were left to the consumer alone, would this be enough incentive to ensure vendors protect us?

Enforcement and Education

Transport Canada also provides some handy guidelines which explain the methods in which the regulations are enforced. These are very carefully worded and provide an excellent description of the objectives, roles and responsibilities of the various Government agencies in ensuring compliance with the regulations.

This is again entirely different when we look at the world of online security, yet this is also to be expected as the legislation, regulation and standardization have not been established. At the same time it does not take that much imagination to conceive of a similar arrangement for ensuring the standardization of online services provided by Canadian entities. Could we not have a set of criteria to which Canadian based organizations, public and private, design their services to be protected against? Is is too far fetched to think that we could have a national safety mark that we could use to certify online services?

Conclusion

Although my comparison of the risks related to use of unsafe automobiles to the risks of using unsafe online services may not be comparable in terms of scale (the risk to life is obviously more important than the risks of information compromise) but I also believe that the alignment of interests including government regulation, if properly designed and implemented, could offer Canadian's a distinct advantage in terms of reputation in the online world.

I would also argue that without these protections afforded average Canadians will continue to be impacted as our use of online services grow.

But there are also significant challenges in educating both the policy-makers and the public on the risks to insecure online services - how many unreported breaches and abuses of information should be tolerated before we act in this way? Is there a common language that can be developed to ensure that the scope and mandate are clear?

I welcome comments and questions from others on this topic.

Comments

code technology said…
Hey Mark, good post. It is useful to compare one set of safety expectations with those for information security, privacy and identity.

The one area where there is movement to define standard approaches is in identity management. The Pan-Canadian Strategy for Identity Management & Authentication includes a framework that addresses a lot of the foundation stuff necessary to, in the future, define the types of regulations you are referring to (at least in the identity space).

Full report is at: http://www.cio.gov.bc.ca/idm/idmatf/IdMAFinalReport.pdf

Mike
http://codetechnology.ca

Popular posts from this blog

Consumer Benefits of Credit Card Security

Recently, new types of credit card security features have be debuted, such as this one from Visa. And as some of the comments on Bruce Schneier's blog point out, its questionable how effective this is. I want to figure out what the motivation is behind these ideas, as it appears banks and the major credit card brands are not completely transparent about the benefits to the consumer. My example is this, one source has that in 2005 $2.8 million was lost due to credit card fraud from Visa and MasterCard in Canada alone. These costs are absorbed by the credit card companies as they protect their cardholders from liability, but as can be expected these costs are directly applied to the card brand customers, people and merchants, in the form of fees and interest rates. Now lets say that card brands can deploy a technology to eliminate 90% of this fraud and associated insurance and liability costs. Likely a large savings both in Canada and globally. Would we, the public and mercha

OpenSolaris, ZFS, iSCSI and OSX - Creative Storage - Part II

In part I of this post, I looked at the simple steps required to setup a relatively simple storage solution using OpenSolaris, ZFS, iSCSI and OSX. This was about a month ago, and I've made some significant changes on how this is used for me. At the end of the last post I left off on the part dealing with configuration of the iSCSI initiator side of the solution. I stopped here because there were some issues related to the installation and use of the software. The iSCSI initiator that I was using was Studio Network Solutions GlobalSAN initiator (version 3.3.0.43) which is used to allow for connections to their products. This software will also allow for connections to ANY iSCSI target! After the configuration of the iSCSI target on the ZFS pool, and installation of the client it was trivial to get the connection established with the storage pool, and it showed up in OSX as a raw disk which had not been formatted. I proceeded to format the disk as HFS+ and it then mounted as a lo

May Security Catch-up

Its been much too long since my last post - Sony's PSN network has been breached a few times , a record number of vulnerabilities have been published , and the US government has released a new set of cyber space strategies . On the cool tools and technologies there have been lots of notable releases: Some research from Albert Cotesi New Zealand on the traffic flowing from IOS to 3rd parties, now sniffable thanks to MITMProxy , and instructions on getting it working with IOS As always SQLmap is making life easier for the vulnerability assessor and pen-tester. Microsoft has released an updated to the Enhanced Mitigation Experience Toolkit - I'll be looking into this over the next few weeks, and how it can be applied practically. New major version of Backtrack also released, for those of you that are still relying upon live-cd's as a source for tools.