October 1, 2013 Comments Off on Big Data security and privacy risk podcast
I recently participated in a podcast sponsored by Edward Haletky at The Virtualization Practice.
My co-panelists (Edward, Iben Rodriguez @iben, Mike Foley @mikefoley) and I discussed many aspects of the inherent security and privacy risks that enterprises and the general public alike are encountering with Big Data. You can find a recording of the podcast here.
May 9, 2013 Comments Off on Data never really disappears, particularly when it’s supposed to
If you have a teenage son or daughter, you may be familiar with an app called ‘Snapchat’. Its claim to fame – that is, until earlier today – is that it deletes all messages (text, photo, or otherwise) within a few seconds, thus keeping sensitive information safe from the prying eyes of parents, police, marketers, and all sorts of other nefarious characters.
But lo and behold, as it turns out, Snapchat actually doesn’t delete the data after all. Instead, it’s simply moved to a hidden directory, where with proper time and tooling, it can be recovered. You can read all about it here.
Whether or not you’re prone to sharing too much information, the takeaway from this little debacle is that data never really goes away, especially once a smartphone gets involved – not to mention the cloud. Keep that in mind the next time you’re tempted to use technology to record, say, or write something that you don’t want anyone else to see or hear.
February 11, 2013 § 1 Comment
I’m looking forward to my speaking engagement at the Conference on Big Data Security this July in Boston. I’ll be talking about how to keep your Hadoop environment safe and secure. In particular, I’ll be discussing:
- The key diverse technologies contained within a typical Hadoop environment
- Current and trending security risks characteristic in Hadoop implementations
- Setting and attaining realistic goals
- Contrasting open-source vs. proprietary Hadoop security tools
- Protecting your Hadoop landscape through controlled access
- Inherent differences safeguarding data-at-rest vs. defending data while in motion
I hope you can join me there – it should be a very interesting conference.
December 11, 2012 Comments Off on Two recent examples of international suspicion of U.S. cloud computing providers
I’m fortunate to attend and speak at many cloud computing and Big Data events all around the world. I also work with large global corporations and governments to help design and deploy these types of environments. I really enjoy getting to meet such a diverse array of people.
Whenever I give a talk about the potential for cloud computing, I notice – without fail – one common thread among all of these audiences: vast misgivings about cloud computing solutions provided by American corporations. The perception is that the U.S. government will – as a matter of course – intercept, amass, and analyze all transactions, stored information, and network traffic for these cloud environments. Even if routine analysis isn’t being performed, these audiences figure that it only takes a phone call from a U.S. government representative for these cloud providers to “open the kimono”, without telling the customer of course. We’ve already seen examples of these back doors – consider how AT&T opened their network to comprehensive and clandestine monitoring by the NSA.
The people who share these concerns with me aren’t drug kingpins, terrorists, or Washington lobbyists. They’re executives and technology leaders at very reputable global powerhouses that are operating under strict fiduciary and regulatory guidelines. I know for a fact that these reservations – particularly of the PATRIOT Act – are costing American businesses money.
Many people have told me that they go out of their way to store their data in non-U.S. cloud providers, and that they don’t even trust an American cloud provider that’s storing data in Europe or Asia.
Two stories in the news recently highlight the international resistance to American-based cloud computing vendors. In the first case, the British government barred Amazon and Google from participating in the UK’s G-Cloud platform initiative. Service features, enterprise-readiness, and other factors appear to be behind this decision, but a major concern also appears to be
Many of these cloud services store initial data in Europe but then back it up to somewhere where the laws are different and you can’t do that
Coincidentally, a couple of days later we learned of a report that indicates that
U.S. legal state of affairs implies that the transition towards the cloud has important negative consequences for the possibility to manage information confidentiality, information security and the privacy of European end users in relation to foreign governments
At first glance, all of this may be perceived as simply an issue between the American government and the rest of the world. But dig a little deeper and you’ll soon realize that any government has the potential to snoop on information stored within or passing through its borders, or maintained by a firm under its jurisdiction.
Doubt me? How do you feel about hosting your most sensitive data on third party servers based in Shanghai? This problem will only become more prominent in coming years, as more applications and related data move to the cloud, and globalized technology providers try to meet this demand.
What’s the solution? That’s a topic for another time.
September 14, 2012 Comments Off on Three free password strength web sites
As our data increasingly moves online, creating, managing, and using passwords is more important than ever before. Getting a password stolen – or decrypted by an unauthorized third party – can be very painful. Things are much worse if your broken password unlocks lots of doors. For this reason, it’s extremely unwise to use the same password for different websites, since a breach at one site exposes you everywhere. With this in mind, it’s smarter to create distinct passwords for each web site, application, email service, and so on. However, given the proliferation of online resources, many people must manage dozens of different logins, and some have many more. For example, I maintain nearly 200 different passwords.
When it comes to setting up passwords, there’s a perception that a strong password is hard to create – and even more difficult to remember. This is why I use a third party password management tool. There are many on the market, but I like Callpod Keeper. It’s up to you to set a master password, but once you’ve done that Keeper will generate passwords for each site you visit. Another choice is to simply create your own passwords on a site-by-site basis and store them in Keeper.
Regardless of where and how you create your password, it’s natural to wonder how secure it is. Believe it or not, it will often take a brute force decryption attack longer to break an easy-to-remember phrase than a short, unmemorable, cryptic password. To help you gauge the relative strengths of your passwords, take a look at each of these helpful sites:
1. How Big is Your Haystack? This site is from Gibson Research, provider of many excellent networking and security utilities.
2. Dropbox’ zxcvbn password strength estimator. This utility was created as a companion piece to a really well written blog post. I like how this utility shows you play-by-play of how a brute force attack might be launched against your password.
3. How Secure is My Password? Color-coding (red is bad, green is good) adds a nice visual effect that tells you how long it will take to break your password.
As you experiment with these sites, I recommend trying a variety of passwords and phrases. Don’t forget to thrown in special characters, uppercase, numbers and so on.
December 21, 2011 Comments Off on Use encryption and the cloud to shield your data at the border
When you pass through customs (U.S. or elsewhere), your data is more vulnerable than ever before thanks to modern data forensics tools paired with raw computing power. Whether you want to protect your personal or business data, check out this informative guide from the Electronic Frontier Foundation about how to defend your privacy at the border.
Our lives are on our laptops – family photos, medical documents, banking information, details about what websites we visit, and so much more. Thanks to protections enshrined in the U.S. Constitution, the government generally can’t snoop through your laptop for no reason. But those privacy protections don’t safeguard travelers at the U.S. border, where the U.S. government can take an electronic device, search through all the files, and keep it for a while for further scrutiny – without any suspicion of wrongdoing whatsoever.