Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Privacy

 

MY TAKE: Technologists, privacy advocates point to flaws in the Apple-Google COVID-19 tracing app

By Byron V. Acohido

If the devastating health and economic ramifications weren’t enough, individual privacy is also in the throes of being profoundly and permanently disrupted by the coronavirus pandemic. The tech giants are partnering on a tool for public good, but critics worry it will ultimately get used for predatory surveillance.

Related: Europe levies big fines for data privacy missteps

Apple and Google are partnering up to bring technology to bear on COVID-19 contact tracing efforts. The tech giants are laudably putting aside any competitive urgings to co-develop a solution that combines mobile operating system, Bluetooth and GPS technologies to help us all get past the burgeoning health crisis.

However, in an apparent effort to live down Google’s abjectly poor track record respecting consumer privacy, the Apple-Google partnership is treading lightly to avoid anything that might hint at an undue invasion of individual privacy. In doing so, their proposed solution has a number of glaring technical and privacy-protection shortcomings, according to several technologists I spoke with.  In fact, the Apple-Google project has exacerbated a privacy controversy that flared up in Europe in the early stages, one that has more recently been picking up steam in the U.S., as well. Here’s how technologists and privacy experts see things stacking up:

Bluetooth-based tracing

Infected persons will be able to use their iPhones or Android devices to make their status known to a central server, which then correlates an anonymized identifier of the infected person to anonymized IDs of non-infected persons who happen to be in close proximity. The server then alerts the non-infected persons to self-immunize.

GUEST ESSAY: What everyone should know about the pros and cons of online fingerprinting

By Ebbe Kernel

When it was first introduced, device fingerprinting – or online fingerprinting in general – was meant to create a safer, more responsible internet. The idea was that by fingerprinting devices used to connect to the internet we could achieve better accountability.

Related: Why Satya Nadella calls for regulation of facial recognition systems

The concept itself is still very much relevant today. Fingerprinting is considered a necessary practice to fight challenges such as fake accounts and the misuse of internet services. However, online fingerprinting is also being used to track users. Now, fingerprinting is a tool in the marketer’s toolbox. Has it failed in its initial mission?

If you are not familiar with the concept of online fingerprinting, the principles behind it are very simple. More about it can be found on Smartproxy. Whenever you access a web server, details about your IP address, your browser information, your device information, and other information are recorded in logs. Logged online activities are easier to trace so service providers can perform the necessary security check if one is required.

Fingerprinting makes it difficult for irresponsible parties to create fake accounts or social media pages. Service providers can recognize signs of fake accounts from similarities in their fingerprints, allowing further action to be taken against those accounts. In the era of bots and fake news, fingerprinting is supposed to work seamlessly.

The Electronic Frontier Foundation (EFF) recently revealed just how many details are leaked and stored when you access a web server. The number

of details that are recorded is simply staggering, with information such as your approximate location, the referrer site, and whether you have Do Not Track activated being leaked.

MY TAKE: COVID-19’s silver lining could turn out to be more rapid, wide adoption of cyber hygiene

By Byron V. Acohido

Long before COVID-19, some notable behind-the-scenes forces were in motion to elevate cybersecurity to a much higher level.

Related: How the Middle East has advanced mobile security regulations

Over the past couple of decades, meaningful initiatives to improve online privacy and security, for both companies and consumers, incrementally gained traction in the tech sector and among key regulatory agencies across Europe, the Middle East and North America. These developments would have, over the next decade or so, steadily and materially reduced society’s general exposure to cybercrime and online privacy abuses.

Then COVID-19 came along and obliterated societal norms and standard business practices. A sweeping overhaul of the status quo – foreshadowed by the sudden and acute shift to a predominantly work-from-home workforce – lies ahead.

One thing is certain, as this global reset plays out, cyber criminals will seize upon fresh opportunities to breach company and home networks, and to steal, defraud and disrupt, which they’ve already commenced doing.

Yet there are a few threads of a silver lining I’d like to point out. It is possible, if not probable, that we are about to witness an accelerated rate of adoption of cyber hygiene best practices, as well as more intensive use of leading-edge security tools and services. And this positive upswing could be reinforced by stricter adherence to, not just the letter, but the spirit of data security laws already on the books in several nations.

There is an urgency in the air to do the right thing. Several key variables happen to be tilting in an advantageous direction. Here’s a primer about how cyber hygiene best practices – and supporting security tools and services – could gain significant steam in the months ahead, thanks to COVID-19.

BEST PRACTICES: Why pursuing sound ‘data governance’ can be a cybersecurity multiplier

By Byron V. Acohido

Deploying the latest, greatest detection technology to deter stealthy network intruders will take companies only so far.

Related: What we’ve learned from the massive breach of Capitol One

At RSA 2020, I learned about how one of the routine daily chores all large organizations perform — data governance — has started to emerge as something of a cybersecurity multiplier.

It turns out there are some housekeeping things companies can do while ingesting, leveraging and storing all of the data churning through their complex hybrid cloud networks. And by doing this housekeeping – i.e. by improving their data governance practices — companies can reap higher efficiencies, while also tightening data security.

This nascent trend derives from a cottage industry of tech vendors in the “content collaboration platform” (CCP) space, which evolved from the earlier “enterprise file sync and share”  (EFSS) space. I had the chance to sit down with Kris Lahiri, CSO and co-founder of Egnyte, one of the original EFSS market leaders. For a drill down on our discussion about how data governance has come to intersect with cybersecurity, give a listen to the accompanying podcast. Here are key takeaways:

Storage efficiencies

With so much data coursing through business networks, companies would be wise to take into consideration the value vs. risk proposition of each piece of data, Lahiri says. The value of data connected to a live project is obvious. What many organizations fail to do is fully assess – and set policies for — data they hang on to after the fact.

One reason for this is storage is dirt cheap. It has become common practice for companies to store a lot of data without really thinking too hard about it. In fact, there’s a strong case to be made for meticulously archiving all stored data, as well as getting on a routine of purging unneeded data on a regular basis.

SHARED INTEL: FireMon survey shows security lags behind fast pace of hybrid cloud deployments

By Byron V. Acohido

Corporate America’s love affair with cloud computing has hit a feverish pitch. Yet ignorance persists when it comes to a momentous challenge at hand: how to go about tapping the benefits of digital transformation while also keeping cyber exposures to a minimum level.

Related: Why some CEOs have quit tweeting

That’s the upshot of FireMon’s second annual State of Hybrid Cloud Security Report of 522 IT and security professionals, some 14 percent of whom occupy C-suite positions.

Nearly 60 percent of the respondents indicated the pace of their cloud deployments have surpassed their ability to secure them in a timely manner. Notably, that’s essentially the same response FireMon got when it posed this same question in its inaugural hybrid cloud survey some 14 months ago.

That’s not a good thing, given migration to cloud-based business systems, reliance on mobile devices and onboarding of IoT systems are all on an upward sweep. “It doesn’t seem like we’ve moved the needle on security at all,” says Tim Woods, vice president of technology alliances at FireMon, the leading provider of automated network security policy management systems.

I had the chance to visit with Woods at RSAC 2020 in San Francisco recently. For a full drill down on our discussion, please give a listen to the accompanying podcast. Here’s a summary of key takeaways:

Shared burden confusion

Hybrid cloud refers to the mixing and matching of on-premise IT systems, aka private clouds, with processing power, data storage, and collaboration tools leased from public cloud services, such as Amazon Web Services, Microsoft Azure and Google Cloud. Hybrid clouds are being leveraged to refresh legacy networks, boost productivity and innovate new software services at breakneck speed, to keep pace with rivals.

NEW TECH: Can MPC — Multi Party Computation — disrupt encryption, boost cloud commerce?

By Byron V. Acohido

Encryption is a cornerstone of digital commerce. But it has also proven to be a profound constraint on the full blossoming of cloud computing and the Internet of Things.

Related: A ‘homomorphic-like’ encryption solution

We know very well how to encrypt data in transit. And we’ve mastered how to encrypt — and decrypt — data at rest. However, we’ve yet to arrive at a seminal means to crunch encrypted data – without first having to decrypt it.

Math geniuses and data scientists have been trying to solve this problem for more than half a century. It has only been in the past 10 years or so that commercial versions of homomorphic encryption, which I’ve written about, have slowly gained traction. Another solution is something called Multi Party Computation, or MPC, which I was unfamiliar with when heading to RSA 2020 recently.

I had the chance to visit with Nigel Smart, co-founder of Unbound Tech, a company which uses MPC technology to solve the problem of private key protection and key management. The company, based in Petach Tikvah, Israel, addresses the problem via a “virtual Hardware Security Module” as opposed to the traditional method of using physical infrastructure. Smart told me about how MPC has attracted the attention of the cryptocurrency community, in particular the purveyors of crypto currency exchanges and the suppliers of digital wallets.

And he explained how advanced encryption technologies, like MPC and homomorphic encryption, are on the cusp of enabling much higher use of the mountains of data hoarded in cloud storage by companies and governments. For a full drill down on our discussion, give the accompanying podcast a listen. My big takeaways:

NEW TECH: Devolutions’ ‘PAM’ solution helps SMBs deal with rising authentication risks

By Byron V. Acohido

The cybersecurity needs of small- and mid-sized businesses (SMBs) differ from those of large enterprises, but few solutions cater to them. A 2018 Cisco Cybersecurity Special Report found that 54 % of all cyber attacks cost the target company more than $0.5 million — damages that would crush most SMBs. However, smaller companies rarely have the IT talent, tools, or budget to prevent such attacks.

Related: SMBs are ill-equipped to deal with cyber threats

Without a cohesive cybersecurity framework, SMBs are falling further behind as digital transformation, or DX, ramps up.  Embracing digital transformation becomes even more of a challenge without a dedicated platform to address vulnerabilities.

I spoke with Maurice Côté, VP Business Solutions, and Martin Lemay, CISO,  of Devolutions, at the RSA 2020 Conference in San Francisco recently. Devolutions is a Montreal, Canada-based company that provides remote connection in addition to password and privileged access management (PAM) solutions to SMBs. You can get a full drill down on our discussion in the accompanying podcast. Here are some of the key takeaways:

PAM 101

PAM is crucial to all companies because it reduces opportunities for malicious users to penetrate networks and obtain privileged account access, while providing greater visibility of the environment. Current PAM solutions cater almost exclusively for large organizations.

Suppliers simply strip down their enterprise versions to sell to SMBs, with their solutions being prohibitively expensive for SMBs. Poorly implemented authentication can also lead to network breaches and compliance headaches.